I've run into a problem, that I removed certificate files from the server.
But client that has these files still can connect.
I've found out, that I should revoke the certificate and that this can be done by changing line with that certificate in
/etc/openvpn/easy-rsa/keys/index.txt
to have R, not V, as first character line.
But previously I've removed line for that certificate from the file, because attempt to generate that certificate again just gave an 0 byte size file.
As I've read, it shouldn't be able to connect after removing from index.txt
, but it does connect.
What may cause the problem and how am I able to disallow that particular certificate to connect?
I want be able to create certificate with same name, CN, and other vars I set for each certificate, as the one being disallowed – newly created certificate should have the ability to connect.
EDIT:
Solution was undoing changes in index.txt
(changing R back to V in cert I wished to revoke) and generating CRL in easy-rsa
, which was missing.
The index.txt mustn't be manually changed in way I did it, because it was lacking revoke date and did not allow me to generate missing CRL. I found out, that revocation should be done by /etc/openvpn/easy-rsa/revoke-full <cert name>
, with all vars as when cert was generated, in my case.
Best Answer
The plain answer is it does not work because you've got it all wrong.
Your basic misconception seems to lie in the idea that OpenVPN and the Certificate Authority do have a communication channel so OpenVPN would automagically know which certificates you want to allow. This is not the case. OpenVPN and the Certificate Authority are completely separate entities (even if they both reside on the same host) and do not have any communication whatsoever between each other.
The CA "signs" certification requests (basically public keys bundled with identification information like the host name) by encrypting a hash of the certification request with its own private key. What OpenVPN does is checking whether a) it can decrypt the hash using the public key of the CA (which it has, typically residing in a ca.crt file somewhere) and checking if the hash is correct for the given certificate. It does not require nor use any "live" connections to the CA for any of this.
You cannot revoke a certificate by deleting it from the CA's directory (note that if you have deleted the client certificate and it was your only copy,
openssl ca
would not allow you revoke it any more) or changing the index.txt (this file is just an indication foropenssl ca
about the state of the available certificates). What you need to do instead isopenssl ca -revoke <certificate file>
to revoke the certificate in the internal OpenSSL CA database (basically adding the revocation information in theindex.txt
)openssl ca -gencrl -out ca.crl
crl-verify
directive in the OpenVPN config file)If you are using the
easy-rsa
shell wrapper script set for OpenSSL CA, see the OpenVPN section on certificate revocation for a more detailed documentation on how to achieve the above using the easy-rsa scripts. The basic procedure isyou would find the crl.pem in the
$KEY_DIR
directory as defined in your./vars
file.