[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Is it possible to revoke without their crt?

  • Subject: [Openvpn-users] Is it possible to revoke without their crt?
  • From: Jason Whitlark <jwhitlark@xxxxxxxxxx>
  • Date: Tue, 25 Jul 2006 10:39:25 -0700

>This is probably a stupid question. Is it possible to revoke a client
>without actually having their certificate? I'm thinking that's
>impossible, or is there a way you can blacklist their common name?
>I removed some client certificates from a server because I thought they
>weren't needed, which they weren't for the clients to connect, but now I
>can't revoke them, as it says unable to load certificate.
>Seems rather obvious now, but I didn't notice anything about this in the
>FAQ/HOWTO. I'm suggesting that some notes about this be added to the
>FAQ/HOWTO, especially where it says that clientX.crt is only needed by
>client (the table of files near the top of the HOWTO for example says
>just this...).

I had problems with this, too.  The docs say you don't need your *.crt
files for the server.    Fortunately, some of the easy-rsa/keys/*.pem
files seem to be perfect copies of the *.crt files.  You just need to
find the right one and copy it.

How to fix:
grep username easy-rsa/keys/*.pem
    to find the certificate you need
cp ??.pem username.crt
    to replace the certificate you're missing
Then you can run the revoke-full script in the usual fashion.

To whom it may concern:
This really should be in the docs under
http://openvpn.net/howto.html#revoke.  It also might make sense to
provide this capability to revoke-full...


OpenVPN mailing lists