Hello everybody! I am from Kazakhstan, I am not very fluent in English, I write through a Google translator, and I apologize for any possible errors. I have a server on the Сlear OS 7 configured by the gateway. An OpenVPN server has been installed and configured, over time, there have become a lot of users, and some leave, therefore it is necessary to revoke their certificates. Please tell me how to revoke the certificate of open VPN client on the Сlear OS 7 server. Thank you very much in advance for your reply!
In OpenVPN
Share this post:
Accepted Answer
I've been having a look and using this, this, this and this. So to greate a CRL do:
Then to revoke a certificate, e.g the one for user "test1" do:
In /etc/openvpn/clients.conf, then add a line:
If you want to test, I suggest you make a backup of the whole /etc/pki/CA folder and restore it after your testing. Revoking a certificate seems to update /etc/pki/CA/index.txt and regenerating the crl.pem also updates /etc/pki/CA/crlnumber but there may be more changes than that.
echo 1000 > /etc/pki/CA/crlnumber # you only need to do this once
openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \
-out /etc/pki/CA/crl/crl.pem \
-keyfile /etc/pki/CA/private/ca-key.pem \
-cert /etc/pki/CA/ca-cert.pem
Note the default clrdays is 30. The recommendation is to regenerate the file every 30 days. The easiest way to do that is to set the crldays to something like 45 and put the line in a configlet in /etc/cron.monthly, remembering to make it executable. Also add " > /dev/null 2>&1" to the end of the openssl command to quieten the output. Otherwise you can be lazy and set it to a high number like 3650 days. You have to regenerate the file every time you revoke a certificate or batch of certificates.Then to revoke a certificate, e.g the one for user "test1" do:
openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-test1-cert.pem
openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \
-out /etc/pki/CA/crl/crl.pem \
-keyfile /etc/pki/CA/private/ca-key.pem \
-cert /etc/pki/CA/ca-cert.pem
Now you have a certificate revoked and it exists in the crl.pem file. You can check withopenssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
The serial number can be cross-referenced against the number in /etc/pki/CA/index.txt.In /etc/openvpn/clients.conf, then add a line:
crl-verify /etc/pki/CA/crl/crl.pem
And restart OpenVPN. You should now have a functioning CRL.If you want to test, I suggest you make a backup of the whole /etc/pki/CA folder and restore it after your testing. Revoking a certificate seems to update /etc/pki/CA/index.txt and regenerating the crl.pem also updates /etc/pki/CA/crlnumber but there may be more changes than that.
Responses (4)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
I am afraid this is an outstanding feature request for ClearOS. You'll need to read the OpenSSL documentation to find out how to create an CRL file and the OpenVPN documentation to see how to read the file. I believe the OpenVPN side it is quite simple but I don't know about the OpenSSL side. The certificates you need to revoke are stored in /etc/pki/CA.
[edit]
If you do come up with how to do it, please post back and I'll add it to the documentation.
[/edit]
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »