[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] revocation without the crt file

  • Subject: Re: [Openvpn-users] revocation without the crt file
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Wed, 19 Dec 2007 17:18:26 -0600
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID762LLswsD0463X40

George Georgalis wrote:
> I think all my crt files are around but didn't expect I *needed*
> them to revoke, nor did I realize, as I now presume, they are are
> required to start the daemon (in the form of pem files) as well.

You don't actually need the individual client certificates to use
OpenVPN or OpenSSL, but you will need them to perform revocation with
OpenSSL.  OpenVPN only needs the CA certificate and a key/certificate
pair for each device (and DH parameters for the server.)

> So I also presume I can rename a pem file (and/or adjust
> index.txt) and restart openvpn, as a last ditch effort to disable
> access... maybe it will actually start. Next time, if I don't
> actually have the crt file, I'll try just using the pem file to
> revoke.

The .pem and .crt files are identical and the extension doesn't affect
the content of the file.  Because of this, you can replace a missing crt
file by copying the proper pem file and naming it properly in the folder
you need.  You can also view the content of a certificate (regardless of
the file extension) with the following openssl command: openssl x509 -in
SOME_CERTIFICATE.pem -noout -text


Attachment: signature.asc
Description: OpenPGP digital signature