[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Revoke will not revoke?

  • Subject: Re: [Openvpn-users] Revoke will not revoke?
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Fri, 07 Jul 2006 08:50:13 -0500

Florian Lamberty wrote:
> Hello!
> I have a urgent problem. I revoked somebody´s cert, (the first one I 
> ever revoked) and after a few days, I noticed that this guy is *Still* 
> login on via vpn. Damn - removed his frickin files (key, crt, csr) 
> restarted openvpn - and the bugger is STILL able to connect!

As you've observed, the server never needs a local copy of a user's key 
or certificate to authenticate that user. Instead, it validates the key 
and certificate *provided by the user* against its copy of the CA 
certificate. Remember how best practice is to keep your CA on a 
completely different machine from your OpenVPN server? This is why that 

The Right Thing is to revoke the user's certificate (for which you need 
to still have it -- so if you deleted it entirely, you've screwed 
yourself somewhat), generate a new CRL (certificate revocation list), 
and update the OpenVPN config file to use that CRL.

If you can't do that because you've completely deleted your copy of the 
user's certificate, use a client-config-dir to either whitelist clients 
(using the ccd-exclusive directory and a file -- even an empty one -- 
for each allowed client) or blacklist them using the disable directive. 
There may be a way to revoke certificates without having a copy of them, 
but I'd need to look into how the "openssl ca" mechanism for tracking 
revoked certificates works.

OpenVPN mailing lists