[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Certificate Revocation Issue

  • Subject: Re: [Openvpn-users] Certificate Revocation Issue
  • From: Aidan Anderson <mail@xxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 05 Feb 2008 16:55:38 +0000

Erich Titl wrote:
> Aidan Anderson wrote:
>> Hi List,
>> I have been testing the setup of OpenVPN 2.0 and easy-rsa version 2.0 
>> for possible deployment in our network.  I have come across an issue 
>> with revoking certificates.
>> First off, it allows you to create multiple certificates with the 
>> same common name.  This is pointed out in the documentation as useful 
>> for creating a certificate with the same common as a previously 
>> revoked certificate (lost passwords etc.).  However, if you create 2 
>> certificates with the same common name and issue the ./revoke-full 
>> command on the common name, it revokes the most recently created 
>> certificate.  If you issue the revoke command again with the same 
>> common name, it says that the certificate is already revoked.  When I 
>> tested connection to the server from a client PC, the revoked 
>> certificate is rejected as expected but the certificate created 
>> initially still works and you have no way of revoking it.  Having a 
>> certificate out in the field that you cannot revoke is obviously very 
>> dangerous and will give you a big headache if you have to create a 
>> new CA an re-issue all your certificates.
> Typically you need to revoke a certificate _before_ you can reissue it.
>> How have other people coped with this?  Would the best plan be to 
>> write a wrapper for the revoke-full command to ensure that a common 
>> name cannot be created if a valid one already exists?  I could do 
>> this by reading the contents of index.txt.
> easy-rsa is what it is called, a simple easy wrapper for openssl. 
> Depending on the number of certificates you want to handle, you 
> probably need another tool.
> I don't have many certs to support and went for roCA, a small CDrom 
> based tool which I run in a virtual machine. Not too well suited for 
> large numbers of certificates but it works for me.
> cheers
> Erich
Thanks for the reply Erich, I appreciate that common sense should 
prevail when using this type of tool.

As many people will be using it to creating keys, I have created a small 
wrapper for revoke-full to avoid the situation ever arising.  I've added 
the relevant part of the script below in case anyone finds it useful


Set $key_dir and $rsa_dir to match your key and rsa directories

      ## Validate the supplied common name.
      ## If the common name doesn't exist then add it.
      ## If the common name exists and is active then don't add it.
      ## If the common name exists but has been previously revoked, ask 
the user to make the decision.
      cd $key_dir
      cert_state=`cat index.txt|grep "CN=$common_name"|tail -n1|cut -c1`
      if [ -z $cert_state ]; then
        if [ $cert_state = "R" ]; then
          echo; echo -n "This common name was previously revoked, are 
you sure you want to use it again? [y/n]:"
          read yorn
          if [ $yorn ]; then
            if [ $yorn = "y" ]; then
              message="Aborting, common name not added."
            message="Aborting, common name not added."
          message="Aborting, this common name cannot be added because it 
is currently active."

      ## Create certificate if validated to do so.
      if [ $add_common_name = "yes" ]; then
        cd $rsa_dir
        . ./vars
        ./build-key $common_name
        echo; echo "$message"; echo

Openvpn-users mailing list