4

is it possible to configure OpenVPN to use a certificate whitelist which contains allowed certificates insetead of a certificate revocation list (CRL) for disallowed certificates?

Regards, Jochen

1 Answers1

4

You can use client-config-dir to specify the Common Names which you wish to allow. The name of the file should be the CN of the certificate you wish to allow, and then you write a verify-cn script (The one we have at work was probably written by the admin who setup our OpenVPN, but I'm sure there's standard ones out there) that checks that the CN in the presented certificate equals a file in the CCD directory. Tell OpenVPN to use it with the tls-verify option and set script-security to 2 so that the verify-cn script can be run, and you're away.

However all this doesn't negate the need for a CRL. Without a CRL you won't be able to revoke a specific issue of a client's certificate. For instance if their existing certificate was compromised or lost and they were issued a new certificate with the same Distinguished Name details.

Arguably a CRL is also slightly more secure than removing a client's CCD configuration because the SSL checking is performed further up the chain.

womble
  • 96,255
  • 29
  • 175
  • 230
Dan Carley
  • 25,617
  • 5
  • 53
  • 70
  • 3
    I was hoping to get around using a CRL, because I think it is much easier (and safer) to keep track of the certificates I currently allow than to keep track of every certificate ever issued. A "Certificate Approval List" would be much easier to manager than a CRL. –  Sep 09 '09 at 12:54
  • in 2023, any "proper" solution to this? Really, whitelisting is much better than blacklisting.. – sha Mar 22 '23 at 09:51