[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] revocation without the crt file

  • Subject: Re: [Openvpn-users] revocation without the crt file
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Thu, 20 Dec 2007 15:32:23 +0100

Hi George,

if you still have all the <N>.pem files then you can do something like

for i in keys/*.pem
  echo -n "$i: "
  openssl x509 -in $i -subject -noout
to find the subject name of the missing certificate. Once you have found 
it, you can then revoke the certificate using "standard" openssl commands:

  openssl ca -revoke <file>
  openssl ca -gencrl

and use the appropriate .crl file in your openvpn server setup.



George Georgalis wrote:
> On Wed, Dec 19, 2007 at 10:31:36AM +0100, Jan Just Keijser wrote:
>> this is not an openvpn question really, but an openssl question...
>> In short, it is NOT possible to revoke a certificate without knowing the 
>> certificate DN __AND__ certificate serial number.
>> If you're the CA for a particular vpn server then how come you don't 
>> have a copy of the public cert files anymore? with the 'easy-rsa' 
>> distribution you should have a directory 'keys' with contents similar to
>>  01.pem
>>  02.pem
>>  ca.crt
>>  ca.key
>>  index.txt
>>  index.txt.old
>>  serial
>>  serial.old
>> the 01.pem, 02.pem etc are copies of the certificates that you have 
>> signed and handed out.
>> If you don't have them then I'd suggest to start over with your CA.
> I've scripted my own ca management, around easy-rsa. getting the
> path/name for revoking crt files has been a bug, and every time I
> do it manually I think there must be a better way. I like to keep
> it simple, but per other responce, maybe I can find a non-GUI CA
> tool to help out.
> I think all my crt files are around but didn't expect I *needed*
> them to revoke, nor did I realize, as I now presume, they are are
> required to start the daemon (in the form of pem files) as well.
> So I also presume I can rename a pem file (and/or adjust
> index.txt) and restart openvpn, as a last ditch effort to disable
> access... maybe it will actually start. Next time, if I don't
> actually have the crt file, I'll try just using the pem file to
> revoke.
>> If you're really up s**t's creek then I would suggest to add a 
>> 'tls-verify' script to your openvpn server conf:
>>  tls-verify /etc/openvpn/verify-cn
>> and inside this script look for the offending certificate DN (which I 
>> hope and assume you do know) and then have the script return '1' if the 
>> offending DN is found, e.g. on Linux you could use something similar to
>> #!/bin/bash
>> if [ $# -lt 2 ]
>> then
>>    exit 1
>> fi
>> if  [ "$2" = "Offending_DN" ]
>> then
>>    exit 1
>> fi
> Thanks, nice tip.
> // George

Openvpn-users mailing list