OpenVPN client self-sign cert, revoke on elsewhere

certificateopenvpnrevoked

I've got myself into a pretty messy situation:

I generated a clients self-signed certificate on server A, with server A being the CA.
I then copied the self-signed certificate (.crt, .key) to server B, which is also a CA by itself.
I started using this self-signed certificate on server B and it worked, so I didn't think too much afterward.

Now, I need to revoke this self-signed certificate, however I cannot do it on server B (it complaints about "name does not match"). I've managed to revoke it on server A which signed it, but how can I let server B know that this certificate has indeed been revoked?

I tried to copy the revoked cert over to server B but it doesn't really work…

Platform:

server A: Ubuntu server 10.10, openssl version 0.9.8o
server B: CentOS 4.4, openssl version 0.9.7a

If there's anything else I can provide please let me know.

Hope my explanation makes sense, if not, please leave me a msg. Any help would be very much appreciated!

Best Answer

You must have copied the server and client certificates from A to B if the same client certs still work when authenticating to B. Is this not the case? If you only moved the client certs, and not the server cert, but you can still authenticate to B with client certs from A, then you must have the same CA on A and B.

You don't need to copy the revoked cert to B, you just need to add the cert to B's revocation list. Normally, as long as the server and client certs are signed by the same CA, authentication will proceed. Revocation works by adding entries to a text file. When you authenticate with a cert, OpenVPN will check your Certificate Revocation List (CRL) to see if the cert has been revoked. You're not making any changes to the actual cert.

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

Listen 10.0.0.152:443

<VirtualHost 10.0.0.152:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/login.domain.com/current
ServerName login.domain.com

ServerAlias www.login.domain.com login.domain.com


LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/login.domain.com-access_log
ErrorLog /var/log/www/login.domain.com-error_log

<DIRECTORY /web0/cloud/login.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

AddType application/x-httpd-php .html

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/login.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/login.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Listen 10.0.0.151:443

<VirtualHost 10.0.0.151:443>
ServerAdmin admin@domain.com
DocumentRoot /web0/cloud/admin.domain.com/current
ServerName admin.domain.com

ServerAlias www.admin.domain.com admin.domain.com

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
TransferLog /var/log/www/admin.domain.com-access_log
ErrorLog /var/log/www/admin.domain.com-error_log

<DIRECTORY /web0/cloud/admin.domain.com/current>
Allow from All
OPTIONS Indexes Includes ExecCGI FollowSymLinks
AllowOverride ALL
</DIRECTORY>

IndexOptions FancyIndexing

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/admin.domain.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/admin.domain.com.key"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl.crt/comodo.ca-bundle"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


</VirtualHost>

Ssl – How to create a self-signed SSL certificate with subject alternate names (SAN) for IIS websites

I found a way to do this using OpenSSL. I was hoping to use CertEnroll but since it gave me interoperability problems with Java I'm just going to use OpenSSL.

Here is how I created a cert for IIS with subject alternative names using OpenSSL.

First create a OpenSSL config text file:

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
[req_distinguished_name]
C           = US
ST          = VA
L           = SomeCity
O           = MyCompany
OU          = MyDivision
CN          = ANDY
[v3_req] 
keyUsage           = keyEncipherment, dataEncipherment
extendedKeyUsage   = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = andy
DNS.2 = 192.168.2.12
IP.1 = 192.168.2.12
IP.2 = 192.167.20.1

Then run the following OpenSSL commands:

openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\cert.pem -out C:\cert.pem -config C:\PathToConfigFileAbove.txt

openssl.exe pkcs12 -export -out C:\cert.pfx -in C:\cert.pem -name "My Cert" -passout pass:mypassword

This will create you a cert in a PFX file which can be imported to IIS. I automated this with powershell like so:

    # Get the certificate from the PFX file.
$pfxcert = new-object system.security.cryptography.x509certificates.x509certificate2
$pfxcert.Import(
    "C:\cert.pfx",
    "mypassword",
    [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet -bor `
    [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
)

    # Add the certificate to the windows stores.
Get-Item -Path cert:\LocalMachine\My, cert:\LocalMachine\root | ForEach-Object {
    $store = $_
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
    $store.Add($pfxcert)
    $store.Close()
}

Add-PSSnapin -Name WebAdministration # IIS 7 Powershell module.
Push-Location -Path IIS:\SslBindings

    # Create new IIS SSL bindings.
Get-Item -Path "cert:\LocalMachine\My\$($pfxcert.Thumbprint)" | New-Item "0.0.0.0!443"

Best Answer

Related Solutions

Ssl – RHEL/Apache ssl.conf configuration issue

/usr/local/etc/apache22/Includes/login.domain.com.ssl.conf

/usr/local/etc/apache22/Includes/admin.domain.com.ssl.conf

Ssl – How to create a self-signed SSL certificate with subject alternate names (SAN) for IIS websites

Related Topic