[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] revocation without the crt file


  • Subject: Re: [Openvpn-users] revocation without the crt file
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 19 Dec 2007 17:18:26 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID762LLswsD0463X40

George Georgalis wrote:
> I think all my crt files are around but didn't expect I *needed*
> them to revoke, nor did I realize, as I now presume, they are are
> required to start the daemon (in the form of pem files) as well.
>   

You don't actually need the individual client certificates to use
OpenVPN or OpenSSL, but you will need them to perform revocation with
OpenSSL.  OpenVPN only needs the CA certificate and a key/certificate
pair for each device (and DH parameters for the server.)

> So I also presume I can rename a pem file (and/or adjust
> index.txt) and restart openvpn, as a last ditch effort to disable
> access... maybe it will actually start. Next time, if I don't
> actually have the crt file, I'll try just using the pem file to
> revoke.
>   

The .pem and .crt files are identical and the extension doesn't affect
the content of the file.  Because of this, you can replace a missing crt
file by copying the proper pem file and naming it properly in the folder
you need.  You can also view the content of a certificate (regardless of
the file extension) with the following openssl command: openssl x509 -in
SOME_CERTIFICATE.pem -noout -text

-- 
Josh


Attachment: signature.asc
Description: OpenPGP digital signature