[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Certificate Revocation Issue

  • Subject: Re: [Openvpn-users] Certificate Revocation Issue
  • From: Erich Titl <erich.titl@xxxxxxxx>
  • Date: Tue, 05 Feb 2008 15:32:13 +0000

Aidan Anderson wrote:
> Hi List,
> I have been testing the setup of OpenVPN 2.0 and easy-rsa version 2.0 
> for possible deployment in our network.  I have come across an issue 
> with revoking certificates.
> First off, it allows you to create multiple certificates with the same 
> common name.  This is pointed out in the documentation as useful for 
> creating a certificate with the same common as a previously revoked 
> certificate (lost passwords etc.).  However, if you create 2 
> certificates with the same common name and issue the ./revoke-full 
> command on the common name, it revokes the most recently created 
> certificate.  If you issue the revoke command again with the same common 
> name, it says that the certificate is already revoked.  When I tested 
> connection to the server from a client PC, the revoked certificate is 
> rejected as expected but the certificate created initially still works 
> and you have no way of revoking it.  Having a certificate out in the 
> field that you cannot revoke is obviously very dangerous and will give 
> you a big headache if you have to create a new CA an re-issue all your 
> certificates.

Typically you need to revoke a certificate _before_ you can reissue it.

> How have other people coped with this?  Would the best plan be to write 
> a wrapper for the revoke-full command to ensure that a common name 
> cannot be created if a valid one already exists?  I could do this by 
> reading the contents of index.txt.

easy-rsa is what it is called, a simple easy wrapper for openssl. 
Depending on the number of certificates you want to handle, you probably 
need another tool.
I don't have many certs to support and went for roCA, a small CDrom 
based tool which I run in a virtual machine. Not too well suited for 
large numbers of certificates but it works for me.

OpenVPN mailing lists