Openvpn easy-rsa certificate revoke howto

From thelinuxwiki
Revision as of 19:01, 25 February 2013 by Nighthawk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

steps to revoke

First open up a shell or command prompt window and cd to the easy-rsa directory. Then run:

source ./vars
revoke-full <Cert Common Name>
cp ./keys/crl.pem /path/to/openvpn/direcory
chmod 777 /path/to/openvpn/direcory/crl.pem

You should see output similar to this:

Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Revoking Certificate 04.
Data Base Updated
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
client2.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client2/emailAddress=me@myhost.mydomain
error 23 at 0 depth lookup:certificate revoked
Note the "error 23" in the last line. That is what you want to see, as it indicates that a certificate verification of the revoked certificate failed.

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

Add line to conf file.

crl-verify crl.pem

Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.


Logging for CRL failures

syslog message for a client trying to use a revoke certificate

CRL CHECK FAILED: /C=US/ST=MI/L=somewhereville/O=example.com/OU=finance/CN=john_doe/emailAddress=john_doe@example.com is REVOKED


Resources

info here was taken from...

http://openvpn.net/index.php/open-source/documentation/howto.html