[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] revocation without the crt file

  • Subject: Re: [Openvpn-users] revocation without the crt file
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Wed, 19 Dec 2007 09:52:30 +0000


George Georgalis wrote:
> Using easy-rsa for openssl ca...
> the only means I see for revoking a cert requires possession of the
> certificate file to revoke, if the crt file is lost or unavailable
> is there any other way to revoke the method, or minimally disable
> the the credentials?
> I imaging the process can be disrupted by hand editing (breaking)
> the appropriate line in index.txt; do we really require the cert to
> revoke?

To revoke a certificate the ca application in openssl has the -revoke
command which requires the certificate file. You need to also generate
the crl so that your server knows which certificates are revoked.

If you don't want to dig in the internals of a PKI I suggest to use a
separate tool to handle your certificates. Look in the archives, there
have been a number of tools discussed. Else look for OpenCA, TinyCA or

OpenVPN mailing lists