[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Certificate Revocation Issue

  • Subject: [Openvpn-users] Certificate Revocation Issue
  • From: Aidan Anderson <mail@xxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 05 Feb 2008 13:26:57 +0000

Hi List,

I have been testing the setup of OpenVPN 2.0 and easy-rsa version 2.0 
for possible deployment in our network.  I have come across an issue 
with revoking certificates.

First off, it allows you to create multiple certificates with the same 
common name.  This is pointed out in the documentation as useful for 
creating a certificate with the same common as a previously revoked 
certificate (lost passwords etc.).  However, if you create 2 
certificates with the same common name and issue the ./revoke-full 
command on the common name, it revokes the most recently created 
certificate.  If you issue the revoke command again with the same common 
name, it says that the certificate is already revoked.  When I tested 
connection to the server from a client PC, the revoked certificate is 
rejected as expected but the certificate created initially still works 
and you have no way of revoking it.  Having a certificate out in the 
field that you cannot revoke is obviously very dangerous and will give 
you a big headache if you have to create a new CA an re-issue all your 

How have other people coped with this?  Would the best plan be to write 
a wrapper for the revoke-full command to ensure that a common name 
cannot be created if a valid one already exists?  I could do this by 
reading the contents of index.txt.

Any thoughts?


Openvpn-users mailing list