9

I've run into a problem, that I removed certificate files from the server. But client that has these files can still connect.

  • I've found out, that I should revoke the certificate and that this can be done by changing line with that certificate in

    /etc/openvpn/easy-rsa/keys/index.txt

    to have R, not V, as first character line.

  • But previously I've removed line for that certificate from the file, because attempting to generate that certificate again just gave an 0 byte size file.

  • As I've read, it shouldn't be able to connect after removing from index.txt, but it does connect.

What may cause the problem and how am I able to disallow that particular certificate to connect?

I want be able to create certificate with same name, CN, and other vars I set for each certificate, as the one being disallowed - newly created certificate should have the ability to connect.

EDIT:

Solution was undoing changes in index.txt (changing R back to V in cert I wished to revoke) and generating CRL in easy-rsa, which was missing.
The index.txt mustn't be manually changed in way I did it, because it was lacking revoke date and did not allow me to generate missing CRL. I found out, that revocation should be done by /etc/openvpn/easy-rsa/revoke-full <cert name>, with all vars as when cert was generated, in my case.

Rohit Gupta
  • 356
  • 2
  • 4
  • 14
tymik
  • 398
  • 2
  • 6
  • 16

1 Answers1

12

It does not work because the workflow is wrong: you cannot just remove a client certificate from the server.

The basic misconception seems to lie in the idea that OpenVPN and the Certificate Authority do have a communication channel so OpenVPN would automagically know which certificates you want to allow but this is not the case. OpenVPN and the Certificate Authority are completely separate entities (even if they both reside on the same host) and do not have any communication whatsoever between each other.

The CA "signs" certification requests (basically public keys bundled with identification information like the host name) by encrypting a hash of the certification request with its own private key. What OpenVPN does is checking whether a) it can decrypt the hash using the public key of the CA (which it has, typically residing in a ca.crt file somewhere) and checking if the hash is correct for the given certificate. It does not require nor use any "live" connections to the CA for any of this.

So, you cannot revoke a certificate by deleting it from the CA's directory. Removing these files from the server is a problem if they are your only copy: then, openssl ca would not allow you revoke it any more. You should also do not change the file index.txt, since it is just an indication for openssl ca about the state of the available certificates.

What you need to do instead is:

  1. run openssl ca -revoke <certificate file> to revoke the certificate in the internal OpenSSL CA database (basically adding the revocation information in the index.txt)
  2. create a certificate revocation list using openssl ca -gencrl -out ca.crl
  3. copy this revocation list to the OpenVPN revocation list file (see the crl-verify directive in the OpenVPN config file)
  4. see OpenVPN deny the connection on the next certificate check

If you are using the easy-rsa shell wrapper script set for OpenSSL CA, see the OpenVPN section on certificate revocation for a more detailed documentation on how to achieve the above using the easy-rsa scripts.

The basic procedure with easy-rsa is:

# enter into the easy-rsa directory
# note that this directory may be different in your distro
cd /etc/openvpn/easy-rsa

# load your CA-related variables into the shell environment from the "vars" file
. ./vars

# run the revoke script for <clientcert.pem>
./revoke-full clientcert

You would find the file crl.pem in the $KEY_DIR directory, as defined in your ./vars file.

Dave M
  • 4,514
  • 22
  • 31
  • 30
the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • i've had problems caused by partial hints i found earlier - as i followed them, i messed some things and it kept me failing with easy-rsa scripts and also with generating CRL. the R instead of V, as in question, was one of my problem - i changed it manually and then i had problem to generate CRL, because i "had invalid revoke date" in index.txt - i hadn't such date there at all, as didn't know about it. but i've managed to cleanup that whole mess and revoking works now. – tymik Jan 28 '13 at 20:47
  • It is possible to just delete the key from the database without revoking? – isevcik Oct 19 '17 at 22:15
  • @isevcik Of course. But it would not get you anywhere but stuck. As I wrote, removing the key from OpenSSL's database would not render it invalid as an authentication token. Additionally, you would no longer able to revoke the certificate as OpenSSL could no longer know which serial number to write into the revocation list. – the-wabbit Oct 20 '17 at 08:18
  • 1
    @the-wabbit actually I was wondering if there is such a script like remove-key that just remove the key from the database (for example when I made a typo in the cert that was not distributed yet therefore revoking isn't necessary) – isevcik Oct 20 '17 at 09:58
  • 1
    @isevcik neither OpenSSL CA management commands nor easy-rsa do have anything like this exposed. This is mainly because such an approach is deemed insecure. You may *think* that the certificate hasn't been distributed, but since it has been generated and saved, it may have been stolen / salvaged or be stolen/salvaged in the future. If the CA does not keep track of *anything* and updated CRLs are not distributed, there is no chance to protect against this attack vector. Of course, you still technically could delete the certificate files and forget about it, but it is not good security practice. – the-wabbit Oct 26 '17 at 12:05