Home / server / Questions / 426315
Accepted
artfulrobot
Asked: 2012-09-12 04:12:17 +0800 CST

How to revoke OpenVPN client certificate in Debian

  • 772

I used the easy-rsa/2.0 programs to build server and client certificates for OpenVPN. I copied the client ones to the clients along with ca.crt. All good.

I now need to revoke a client certificate from a stolen laptop. In /usr/share/doc/openvpn/examples/easy-rsa/2.0 there's a revoke script. I've run this successfully and it says "Data Base Updated". It's created some files in a subdir of the examples/doc folder.

I've copied the created crl.pem to /etc/openvpn/crl.pem and I've added crl-verify /etc/openvpn/crl.pem to server.conf.

Is there any way I can verify that I've done the right thing and that it will indeed block access?

Also, I'm not clear where this "Data Base" is stored or what it refers to? Is there any way to inspect this database?

debian

4 Answers

  1. Best Answer

    On easy-rsa directory there's a 'revoke-full' file. When you run this script with your user/key as parameter, index.txt file on easy-rsa/keys directory will be updated.

    You'll see an 'R' (for Revoked) on the first column from the left for your user.

    • 7

  2. On my server I didn't have the easy-rsa scripts, but you can revoke OpenVPN client certificates without easy-rsa manually using openssl.

    A lot of the information is taken from this useful resource but if your OpenVPN server is set up like mine, the certificate authority is configured alongside the OpenVPN server settings, with the client certificates generated on-server (I use Ansible + Sovereign to set up certificates for a number of users all at once).

    # as root in /etc/openvpn
openssl ca -config openssl-server-certificate.cnf -revoke /path/to/client.crt

    This revokes the certificate and updates the database, but you still need to make sure that OpenVPN is checking a certificate revocation list so edit the server.conf and check for a line starting with crl-verify. If you don't find one, then add it:

    crl-verify /usr/share/openvpn/openssl-server.crl

    (You can use any path you want, but most OpenVPN servers are configured to run as nobody:nobody so you will need some path that is world executable - not /etc/openvpn)

    And finally tell OpenSSL to regenerate the revocation list

    openssl ca -config openssl-server-certificate.cnf -gencrl -out /usr/share/openvpn/openssl-server.crl

    (or wherever your revocation list lives). Restart the OpenVPN service and it should pull in the changes to the config and use the CRL when verifying connection requests - if the certificate is revoked the connection will be dropped.

    • 7

  3. Use 

    ./list-crl

    from easy-rsa directory to display serial numbers of revoked certificates.

    Also check the openvpn logs for "CRL CHECK FAILED" message.

    • 2

  4. In my case, I have configured the OpenVPN server on ubuntu 20.04. Finally, I was able to disable the user with the below steps.

    I have two servers for OpenVPN, one is for OpenVPN, and the second one is for CA configurations.

    Login into the 2nd server(CA) and revoke the certificate with the ./easyrsa revoke client_name command. Give confirmation with yes and provide if you have a cert password.

    Generate a new CRL(Certificate Revocation List) with the ./easyrsa gen-crl command. Copy the generated crl.pem to OpenVPN servers tmp directory with scp command.

    scp ~/easy-rsa/pki/crl.pem username@your_server_ip:/tmp

    Once you have revoked a certificate for a client, move the pem file to your OpenVPN server in the /etc/openvpn/server directory on the 2nd server(openVPN server).

    sudo cp /tmp/crl.pem /etc/openvpn/server/

    Open the OpenVPN server configuration file sudo vi /etc/openvpn/server/server.conf and add the below line at the bottom of the file.

    crl-verify crl.pem

    Save and close the file and restart the OpenVPN service to implement the certificate revocation.

    sudo systemctl restart [email protected]

    I hope it helps you.

    • 1