[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Obtain certificate serial number of an active client in Logfiles


  • Subject: Re: [Openvpn-users] Obtain certificate serial number of an active client in Logfiles
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 30 Jul 2007 01:13:21 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID105LgdgNd0138X40

Patrick Cervicek wrote:
I am using for each client different certificates. Some of them are
using the same CN, which are allowed with "duplicate-cn"

In the Logfile I can only see the DN but not the serialnumber.
e.g:

  
VERIFY OK: depth=0, emailAddress=pace/C=DE/ST=BW/L=Esslingen/O=Esslingen/OU=RZ/CN=OpenVPN2
    

Is there a way to find out the serial number?
This would be important to revoke the correct certificate

The serial number of the certificate isn't recorded in the log files of the OpenVPN server because all OpenVPN cares about is the success or failure of the certificate having been signed by the CA.  It's a really bad idea to use the same common name on different certificates for this very reason, and that option shouldn't be used for production setups.  However, if you are using the easy-rsa SSL scripts, or do it manually but leave the certificates in the default ./newcerts directory, all signed certificates will appear in ./newcerts/##.pem, where ## is the serial number of each certificate issued by the CA.  You can use these files when revoking a certificate by pointing openssl to the certificate you wish to revoke.

If this is a live system, consider fixing your PKI by issuing all certificates with unique common names.  It's just too much of a headache to manage otherwise.

-- 
Josh

Attachment: signature.asc
Description: OpenPGP digital signature