openvpn list all active certificates

Question

I have a openvpn setup on ubuntu that multiple users are connecting to. I want to list all the active certificates with their Common name. Is their a way of doing this ?

What certificates are 'active' for you? Ones that are used for ("currently") running tunnels or all possible certificates that can initiate tunnels? For the first - write a little connect script that saves all CNs (and remove them on disconnect) - for the latter: ask your PKI. — Michuelnik, Sep 06 '12 at 09:08
as an aside, i highly recommend using pfSense for new Openvpn server deployments, so you can take advantage of the awesome certificate management via web UI. pfSense has also come a long way in general, and makes some things that can take literally weeks to configure in PF doable in minutes. (load balanced outbound multiwan for instance). Check out this talk if you are interested in pfSense: http://www.youtube.com/watch?v=ckesvwkNiJE — iainlbc, Sep 07 '12 at 00:14

score 10 · Answer 1 · answered Jan 14 '15 at 08:00

10

If you're using easy-rsa, check the index.txt file in the keys folder. It should contain a list of all the issued certificates and their subjects (including CN); valid certificates start with a V and revoked ones start with an R.
The current connections are listed in the status file (in my case, openvpn-status.log in the openvpn folder).

answered Jan 14 '15 at 08:00

aditsu

386
1
4
10

the index.txt file does not contain a list of issued certificates. Perhaps you have it configured in a way that allows this; if so, please provide the config. – lobi Oct 19 '15 at 15:26
@lobi Well, I looked around and found some openssl-*.cnf files containing `database = $dir/index.txt` in the `[ CA_default ]` section. I'm guessing that's where it is specified. It was like that by default, I didn't change anything except the "vars" file. – aditsu Oct 19 '15 at 15:34
1

The `index.txt` file appears to contain a map of certificate (NN.pem) along with the SubjectName and a status of `V` for valid or `R` for revoked as well as the date it was revoked (valid have no date). – dragon788 Sep 25 '17 at 17:54
Where is this located?? – Owl Apr 04 '22 at 18:50

score 5 · Answer 2 · answered Dec 18 '18 at 13:32

5

You can simply do that in this way:

# cd /etc/openvpn/easy-rsa/2.0/keys/
# cat index.txt | grep ^V | awk -F "/" '{print $7, $8}'

Lines in index.txt starts with V if the certificate is valid.

Result should looks like this:

CN=guest name=changeme

answered Dec 18 '18 at 13:32

Piotr Gogolin

141
2
6

cd /etc/openvpn/easy-rsa/2.0/keys/ No such file or directory. – Owl Apr 04 '22 at 18:50
In my case, it was `/etc/openvpn/server/easy-rsa/pki` – ebu_sho Aug 31 '22 at 09:58

score 3 · Answer 3 · answered Sep 06 '12 at 23:59

You can get a list of current connections to the OpenVPN server either by using the status command over the management interface (see http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html), or by looking at the status file which is specified using the status line in the config files (see http://openvpn.net/index.php/open-source/documentation/howto.html#server).

If you want to know who can connect to the OpenVPN server its a bit harder. OpenVPN will let anyone in whose certificate contains a signature generated with the CA key the server is configured to use. If you are using a third party PKI infrastructure they should have records of the certificates they have issued. If you are using the easy-rsa stuff then the certs should all be in that directory.

openvpn list all active certificates

3 Answers3