{"id":1746,"date":"2014-03-03T17:38:17","date_gmt":"2014-03-03T15:38:17","guid":{"rendered":"http:\/\/raftaman.net\/?p=1746"},"modified":"2021-05-15T11:46:37","modified_gmt":"2021-05-15T09:46:37","slug":"revoking-an-openvpn-certificate","status":"publish","type":"post","link":"https:\/\/possiblelossofprecision.net\/?p=1746","title":{"rendered":"Revoking an OpenVPN certificate"},"content":{"rendered":"

One of the great advantages of using OpenVPN with RSA keys<\/a> instaed of static keys<\/a> is the fact that you can easily disable access to the server for a specific client without the need to re-create keys for any other client. This is called revoking of client certificates.<\/p>\n

Since every single client’s certificate is verified against a Certificate Revoking List<\/em> (CRL), disabling a certificate is rather easy. We simply have to create a CRL<\/em> file and tell OpenVPN to use it. Any match against the CRL<\/em> will then result in the connection being dropped.<\/p>\n

Create a CRL file<\/h2>\n

The simplest way of dealing with RSA key management in general is probably easy-rsa<\/code>. You probably set up your OpenVPN server with the help of easy-rsa in the first place, so creating the CRL file is as simple as<\/p>\n

\r\n# cd \/usr\/share\/easy-rsa\/2.0\/\r\n# source .\/vars \r\nNOTE: If you run .\/clean-all, I will be doing a rm -rf on \/usr\/share\/easy-rsa\/2.0\/keys\r\n# .\/revoke-full client\r\nUsing configuration from \/usr\/share\/easy-rsa\/2.0\/openssl-1.0.0.cnf\r\nRevoking Certificate 04.\r\nData Base Updated\r\nUsing configuration from \/usr\/share\/easy-rsa\/2.0\/openssl-1.0.0.cnf\r\nclient.crt: C = US, ST = CA, L = City, O = name, OU = name.example.org, CN = client, name = client, emailAddress = openvpn@example.org\r\nerror 23 at 0 depth lookup:certificate revoked\r\n<\/pre>\n
As you can see in the last line, the certificate was successfully revoke (hence the verification error 23<\/strong>).<\/p>\n
You can also see the revoked status of the client’s certificate in the keys\/index.txt<\/code> file. An “R”<\/strong> in the first column indicates, that the certificate was revoked.<\/p>\n
\r\n[...]\r\nR       240209140518Z   140211140526Z   04      unknown \/C=US\/ST=CA\/L=City\/O=name\/OU=name.example.org\/CN=client\/name=client\/emailAddress=openvpn@example.org\r\n<\/pre>\n
To examine the newly created CRL file, use<\/p>\n
\r\n# openssl crl -in keys\/crl.pem -text\r\n<\/pre>\n
Configure OpenVPN to use a CRL<\/h2>\n
Next, we need to tell OpenVPN to verify incoming connections against against our CRL. Copy the crl.pem<\/code> file to the OpenVPN config directory and assure, that’s it’s readable to the user running the OpenVPN service (usually openvpn:openvpn).<\/p>\n
\r\n# cp -a keys\/crl.pem \/etc\/openvpn\/keys\/\r\n# chmod 755 \/etc\/openvpn\/keys\/\r\n<\/pre>\n
To tell the OpenVPN server to use a CRL, add the following line to your server’s config file:<\/p>\n
\r\n[...]\r\ncrl-verify keys\/crl.pem\r\n<\/pre>\n
After restarting the OpenVPN server<\/strong>, every connection from a client with a revoked certificate should be denied<\/p>\n
\r\n# journalctl -f\r\n[...]\r\nFeb 11 15:27:05 OpenVPN openvpn[493]: 192.168.8.35:51960 CRL CHECK FAILED: C=US, ST=CA, L=City, O=name, OU=name.example.org, CN=client, name=client, emailAddress=openvpn@example.org is REVOKED\r\n[...]\r\n<\/pre>\n
Resources:
\nhttp:\/\/blog.remibergsma.com\/2013\/02\/27\/improving-openvpn-security-by-revoking-unneeded-certificates\/<\/a>
\nSee also OpenVPN 2.3 manpage<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
One of the great advantages of using OpenVPN with RSA keys instaed of static keys is the fact that you can easily disable access to the server for a specific client without the need to re-create keys for any other client. This is called revoking of client certificates. Since every single client’s certificate is verified against a Certificate Revoking List… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7,66],"class_list":["post-1746","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-fedora","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1746"}],"version-history":[{"count":12,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1746\/revisions"}],"predecessor-version":[{"id":2190,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=\/wp\/v2\/posts\/1746\/revisions\/2190"}],"wp:attachment":[{"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/possiblelossofprecision.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}