Suppose we create certificates for OpenVPN using easy-rsa. And we have two clients - client1 and client2 with their certificates etc. Suppose that some time later we need to disable client2 certificate as he is a bad guy. How to do it?
Asked
Active
Viewed 421 times
1
Valerio Bozzolan
- 314
- 2
- 15
Pavel_K
- 85
- 12
-
Just revoke it and start OpenVPN with the updated CRL. – Michael Hampton Mar 18 '18 at 18:48
1 Answers
3
To elaborate Michael Hampton's comment, here's how you do it:
- cd /etc/openvpn/easy-rsa
- . ./vars
- ./revoke-full client2.crt
- mv -v /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/
- cat /etc/openvpn/easy-rsa/keys/index.txt
- Make sure you see something like this: R 111111111117Z 111111111111Z 01 unknown/C=PH/ST=NCR/L=MC/O=Company/OU=IT/CN=client2/name=client2/emailAddress=client2@company.com
- vi /etc/openvpn/server.conf
- Make sure you have this "crl-verify crl.pem"
- Save and exit
- Restart OpenVPN service
Itai Ganot
- 10,644
- 29
- 93
- 146