OpenVPN certificate whitelist instead of CRL


is it possible to configure OpenVPN to use a certificate whitelist which contains allowed certificates insetead of a certificate revocation list (CRL) for disallowed certificates?


Best Answer

You can use client-config-dir to specify the Common Names which you wish to allow. The name of the file should be the CN of the certificate you wish to allow, and then you write a verify-cn script (The one we have at work was probably written by the admin who setup our OpenVPN, but I'm sure there's standard ones out there) that checks that the CN in the presented certificate equals a file in the CCD directory. Tell OpenVPN to use it with the tls-verify option and set script-security to 2 so that the verify-cn script can be run, and you're away.

However all this doesn't negate the need for a CRL. Without a CRL you won't be able to revoke a specific issue of a client's certificate. For instance if their existing certificate was compromised or lost and they were issued a new certificate with the same Distinguished Name details.

Arguably a CRL is also slightly more secure than removing a client's CCD configuration because the SSL checking is performed further up the chain.