Revoking an OpenVPN certificate

      4 Comments on Revoking an OpenVPN certificate

One of the great advantages of using OpenVPN with RSA keys instaed of static keys is the fact that you can easily disable access to the server for a specific client without the need to re-create keys for any other client. This is called revoking of client certificates.

Since every single client’s certificate is verified against a Certificate Revoking List (CRL), disabling a certificate is rather easy. We simply have to create a CRL file and tell OpenVPN to use it. Any match against the CRL will then result in the connection being dropped.

Create a CRL file

The simplest way of dealing with RSA key management in general is probably easy-rsa. You probably set up your OpenVPN server with the help of easy-rsa in the first place, so creating the CRL file is as simple as

# cd /usr/share/easy-rsa/2.0/
# source ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
# ./revoke-full client
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Revoking Certificate 04.
Data Base Updated
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
client.crt: C = US, ST = CA, L = City, O = name, OU = name.example.org, CN = client, name = client, emailAddress = openvpn@example.org
error 23 at 0 depth lookup:certificate revoked

As you can see in the last line, the certificate was successfully revoke (hence the verification error 23).

You can also see the revoked status of the client’s certificate in the keys/index.txt file. An “R” in the first column indicates, that the certificate was revoked.

[...]
R       240209140518Z   140211140526Z   04      unknown /C=US/ST=CA/L=City/O=name/OU=name.example.org/CN=client/name=client/emailAddress=openvpn@example.org

To examine the newly created CRL file, use

# openssl crl -in keys/crl.pem -text

Configure OpenVPN to use a CRL

Next, we need to tell OpenVPN to verify incoming connections against against our CRL. Copy the crl.pem file to the OpenVPN config directory and assure, that’s it’s readable to the user running the OpenVPN service (usually openvpn:openvpn).

# cp -a keys/crl.pem /etc/openvpn/keys/
# chmod 755 /etc/openvpn/keys/

To tell the OpenVPN server to use a CRL, add the following line to your server’s config file:

[...]
crl-verify keys/crl.pem

After restarting the OpenVPN server, every connection from a client with a revoked certificate should be denied

# journalctl -f
[...]
Feb 11 15:27:05 OpenVPN openvpn[493]: 192.168.8.35:51960 CRL CHECK FAILED: C=US, ST=CA, L=City, O=name, OU=name.example.org, CN=client, name=client, emailAddress=openvpn@example.org is REVOKED
[...]

Resources:
http://blog.remibergsma.com/2013/02/27/improving-openvpn-security-by-revoking-unneeded-certificates/
See also OpenVPN 2.3 manpage

4 thoughts on “Revoking an OpenVPN certificate

  1. avatarrolf vreijdenberger

    thanks for your article.
    I got the error “openvpn cannot read: crl.pem: Permission denied (errno=13)”.
    I found no (direct) answer via google, lots of hits on the error, but no human readable explanation, so here goes:
    – after you have copied the crl.pem file to the dir you want it in, make sure that that full directory path to the file is traversable. in my case, the directory it was in had permissions root:root 700 (/etc/openvpn/keys). after I did a ‘chmod +x /etc/openvpn/keys’ I was set.

    conclusion: when openvpn runs under user ‘nobody’ and group ‘nogroup’ you still have to be able to traverse the directory AND read the file, so take that into consideration

  2. Pingback: How To Configure and Connect to a Private OpenVPN Server on FreeBSD 10 — 百溪河

  3. Pingback: Membuat VPS dan Server OpenVPN di DigitalOcean – Catatan Baha

Leave a Reply

Your email address will not be published.