Nighthawk: Pushed from thelinuxwiki.com.

2013-02-25T19:01:34Z

Pushed from thelinuxwiki.com.

New page

== steps to revoke ==

First open up a shell or command prompt window and cd to the easy-rsa directory. Then run:
source ./vars
revoke-full <Cert Common Name>
cp ./keys/crl.pem /path/to/openvpn/direcory
chmod 777 /path/to/openvpn/direcory/crl.pem

You should see output similar to this:

Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 04.
Data Base Updated
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
client2.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client2/emailAddress=me@myhost.mydomain
error 23 at 0 depth lookup:certificate revoked
Note the "error 23" in the last line. That is what you want to see, as it indicates that a certificate verification of the revoked certificate failed.

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

Add line to conf file.
crl-verify crl.pem

Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.

== Logging for CRL failures ==

syslog message for a client trying to use a revoke certificate
CRL CHECK FAILED: /C=US/ST=MI/L=somewhereville/O=example.com/OU=finance/CN=john_doe/emailAddress=john_doe@example.com is REVOKED

== Resources ==
info here was taken from...
http://openvpn.net/index.php/open-source/documentation/howto.html

Openvpn easy-rsa certificate revoke howto - Revision history

Nighthawk: Pushed from thelinuxwiki.com.