[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] revocation without the crt file


  • Subject: Re: [Openvpn-users] revocation without the crt file
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Wed, 19 Dec 2007 10:31:36 +0100

this is not an openvpn question really, but an openssl question...

In short, it is NOT possible to revoke a certificate without knowing the 
certificate DN __AND__ certificate serial number.
If you're the CA for a particular vpn server then how come you don't 
have a copy of the public cert files anymore? with the 'easy-rsa' 
distribution you should have a directory 'keys' with contents similar to
  01.pem
  02.pem
  ca.crt
  ca.key
  index.txt
  index.txt.old
  serial
  serial.old

the 01.pem, 02.pem etc are copies of the certificates that you have 
signed and handed out.
If you don't have them then I'd suggest to start over with your CA.

If you're really up s**t's creek then I would suggest to add a 
'tls-verify' script to your openvpn server conf:
  tls-verify /etc/openvpn/verify-cn
and inside this script look for the offending certificate DN (which I 
hope and assume you do know) and then have the script return '1' if the 
offending DN is found, e.g. on Linux you could use something similar to

#!/bin/bash

if [ $# -lt 2 ]
then
    exit 1
fi

if  [ "$2" = "Offending_DN" ]
then
    exit 1
fi


HTH,

JJK

George Georgalis wrote:
> Using easy-rsa for openssl ca...
>
> the only means I see for revoking a cert requires possession of the
> certificate file to revoke, if the crt file is lost or unavailable
> is there any other way to revoke the method, or minimally disable
> the the credentials?
>
> I imaging the process can be disrupted by hand editing (breaking)
> the appropriate line in index.txt; do we really require the cert to
> revoke?
>
> (BTW I don't see much coverage of revoke in the OpenVPN (Packet)
> book).
>
>   

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users