[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] revocation without the crt file

  • Subject: Re: [Openvpn-users] revocation without the crt file
  • From: George Georgalis <george@xxxxxxxxx>
  • Date: Wed, 19 Dec 2007 14:32:44 -0500

On Wed, Dec 19, 2007 at 10:31:36AM +0100, Jan Just Keijser wrote:
>this is not an openvpn question really, but an openssl question...
>In short, it is NOT possible to revoke a certificate without knowing the 
>certificate DN __AND__ certificate serial number.
>If you're the CA for a particular vpn server then how come you don't 
>have a copy of the public cert files anymore? with the 'easy-rsa' 
>distribution you should have a directory 'keys' with contents similar to
>  01.pem
>  02.pem
>  ca.crt
>  ca.key
>  index.txt
>  index.txt.old
>  serial
>  serial.old
>the 01.pem, 02.pem etc are copies of the certificates that you have 
>signed and handed out.
>If you don't have them then I'd suggest to start over with your CA.

I've scripted my own ca management, around easy-rsa. getting the
path/name for revoking crt files has been a bug, and every time I
do it manually I think there must be a better way. I like to keep
it simple, but per other responce, maybe I can find a non-GUI CA
tool to help out.

I think all my crt files are around but didn't expect I *needed*
them to revoke, nor did I realize, as I now presume, they are are
required to start the daemon (in the form of pem files) as well.

So I also presume I can rename a pem file (and/or adjust
index.txt) and restart openvpn, as a last ditch effort to disable
access... maybe it will actually start. Next time, if I don't
actually have the crt file, I'll try just using the pem file to

>If you're really up s**t's creek then I would suggest to add a 
>'tls-verify' script to your openvpn server conf:
>  tls-verify /etc/openvpn/verify-cn
>and inside this script look for the offending certificate DN (which I 
>hope and assume you do know) and then have the script return '1' if the 
>offending DN is found, e.g. on Linux you could use something similar to
>if [ $# -lt 2 ]
>    exit 1
>if  [ "$2" = "Offending_DN" ]
>    exit 1

Thanks, nice tip.

// George

OpenVPN mailing lists