Forums

Resolved
0 votes
Hello everybody! I am from Kazakhstan, I am not very fluent in English, I write through a Google translator, and I apologize for any possible errors. I have a server on the Сlear OS 7 configured by the gateway. An OpenVPN server has been installed and configured, over time, there have become a lot of users, and some leave, therefore it is necessary to revoke their certificates. Please tell me how to revoke the certificate of open VPN client on the Сlear OS 7 server. Thank you very much in advance for your reply!
In OpenVPN
Thursday, March 19 2020, 10:44 AM
Share this post:

Accepted Answer

Thursday, March 19 2020, 06:05 PM - #Permalink
Resolved
1 votes
I've been having a look and using this, this, this and this. So to greate a CRL do:
echo 1000 > /etc/pki/CA/crlnumber    # you only need to do this once
openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \
-out /etc/pki/CA/crl/crl.pem \
-keyfile /etc/pki/CA/private/ca-key.pem \
-cert /etc/pki/CA/ca-cert.pem
Note the default clrdays is 30. The recommendation is to regenerate the file every 30 days. The easiest way to do that is to set the crldays to something like 45 and put the line in a configlet in /etc/cron.monthly, remembering to make it executable. Also add " > /dev/null 2>&1" to the end of the openssl command to quieten the output. Otherwise you can be lazy and set it to a high number like 3650 days. You have to regenerate the file every time you revoke a certificate or batch of certificates.

Then to revoke a certificate, e.g the one for user "test1" do:
openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-test1-cert.pem
openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \
-out /etc/pki/CA/crl/crl.pem \
-keyfile /etc/pki/CA/private/ca-key.pem \
-cert /etc/pki/CA/ca-cert.pem
Now you have a certificate revoked and it exists in the crl.pem file. You can check with
openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text
The serial number can be cross-referenced against the number in /etc/pki/CA/index.txt.

In /etc/openvpn/clients.conf, then add a line:
crl-verify /etc/pki/CA/crl/crl.pem
And restart OpenVPN. You should now have a functioning CRL.

If you want to test, I suggest you make a backup of the whole /etc/pki/CA folder and restore it after your testing. Revoking a certificate seems to update /etc/pki/CA/index.txt and regenerating the crl.pem also updates /etc/pki/CA/crlnumber but there may be more changes than that.
The reply is currently minimized Show
Responses (4)
  • Accepted Answer

    Wednesday, March 25 2020, 08:18 AM - #Permalink
    Resolved
    0 votes
    In the OpenVPN documentation I wrote up there were a couple of typo's in the cron.monthly job (missing the "\" at the end of two lines). I've now corrected it.

    [edit]
    .... and subsequently removed 2 unnecessary lines.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 21 2020, 12:24 PM - #Permalink
    Resolved
    0 votes
    Now you've had your first couple of posts approved, your posts should appear immediately.

    I've written up the method in the OpenVPN app documentation slightly differently but the method is pretty much the same. Click on the sloping book icon in the webconfig screen to have a look.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 21 2020, 11:31 AM - #Permalink
    Resolved
    0 votes
    Thank you very much for your answer. I read it right away, it turned out only now. In the coming days I’ll try, I will write the result.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, March 19 2020, 12:11 PM - #Permalink
    Resolved
    0 votes
    I am afraid this is an outstanding feature request for ClearOS. You'll need to read the OpenSSL documentation to find out how to create an CRL file and the OpenVPN documentation to see how to read the file. I believe the OpenVPN side it is quite simple but I don't know about the OpenSSL side. The certificates you need to revoke are stored in /etc/pki/CA.

    [edit]
    If you do come up with how to do it, please post back and I'll add it to the documentation.
    [/edit]
    The reply is currently minimized Show
Your Reply