Patrick Cervicek wrote:
I am using for each client different certificates. Some of them are
using the same CN, which are allowed with "duplicate-cn"
In the Logfile I can only see the DN but not the serialnumber.
VERIFY OK: depth=0, emailAddress=pace/C=DE/ST=BW/L=Esslingen/O=Esslingen/OU=RZ/CN=OpenVPN2
Is there a way to find out the serial number?
This would be important to revoke the correct certificate
The serial number of the certificate isn't recorded in the log files of
the OpenVPN server because all OpenVPN cares about is the success or
failure of the certificate having been signed by the CA. It's a really
bad idea to use the same common name on different certificates for this
very reason, and that option shouldn't be used for production setups.
However, if you are using the easy-rsa SSL scripts, or do it manually
but leave the certificates in the default ./newcerts directory, all
signed certificates will appear in ./newcerts/##.pem, where ## is the
serial number of each certificate issued by the CA. You can use these
files when revoking a certificate by pointing openssl to the
certificate you wish to revoke.
If this is a live system, consider fixing your PKI by issuing all
certificates with unique common names. It's just too much of a
headache to manage otherwise.
Description: OpenPGP digital signature