|
|
I finally figured this out on my own. Within the keys directory there is an index.txt. When you revoke someone, a few small changes are made to that file. When you generate a crl.pem, It blacklists everyone who has been marked as revoked in that file. A normal key generation setup should not have the problems I was experiencing. root@myserver:/tmp/openvpn# diff index.txt index.txt.old 9c9 < R 160111131000Z 070777702520Z 09 unknown /C=US/ST=PA/O=CustID/CN=Key_Name/emailAddress=admin@xxxxxxxxxxxxx --- > V 160111131000Z 09 unknown /C=US/ST=PA/O=CustID/CN=Key_Name/emailAddress=admin@xxxxxxxxxxxxx To unrevoke a key, it appears you simply change the R back to a V and delete the third piece of text there. Not tested. Andrew On 2/27/07, Andrew Guenther <andguent@xxxxxxxxx> wrote: > On 2/26/07, Roland Pope <rpope@xxxxxxxxxxxxx> wrote: > > > > > > Roland Pope wrote: > > > > >> I would love to hear more info on each. > > >> > > >> Hypothetically, if I revoked a key two weeks ago, and then I revoke a > > >> different key today, how is the previous info included in creating the > > >> new crl.pem? Which file(s) does the revoke process pull data from > > >> (other than the obvious keys for the person being revoked, and the > > >> ca.crt)? Is this documented somewhere that I couldn't find? > > > The system keeps a list of the serial numbers of all the certs that have > > > been revoked. > > > It then puts all of these into the CRL file, that's why it's called a > > > Certificate Revocation LIST, so each time you revoke a new cert, it gets > > > added to the list and you replace the old CRL.pem file with this new one. > > > > > >> How do you "put all the CRL's into a single PKCS12 file along with the > > >> server CA's, cert and private key"? I probably have a single > > >> hierarchy, I kept it simple when possible. However I'm still trying to > > >> wrap my head around all of the cert concepts, and any info is helpful. > > > > > > When you create a PKCS12 file, you can select more than one CA file to > > > be included, but I suspect this is not applicable to you as you will > > > probably be running one CA and not using PKCS12 files at all. > > > > > >> Possibly related to above paragraph: Is it feasible to un-revoke a > > >> key? I'm hoping that creating the PKCS12 file may let me build my > > >> blacklist cafeteria style. The guy above me in the chain is expecting > > >> a pppd style "comment out username, uncomment out username" on/off > > >> switch. Trying to grab onto how realistic this is. > > > Un-revoking certs is possible. You find out where the system is storing > > > the list of revoked serial numbers and you get rid of the one you want > > > to 'Un-revoke' > > > > > > It basically works like this in it's most simple form (Although I use a > > > different Cert Hierachy for my server than the one I issue my client > > > certs out of, to prevent naughty Clients from pretending to be my > > > OpenVPN server). > > > > > > 1) Create a CA to sign your certs and CRL's. > > > 2) Issue cert serial number 01 to your OpenVPN server and place the cert > > > and key on the server machine. > > > 3) Issue cert serial number 02 to 'Joe Bloggs' and hand it out to him. > > > 4) Issue cert serial number 02 to 'Mary Smith' and hand it out to her. > > > 5) Job Bloggs get's his lappy stolen, so you revoke cert serial number > > > 01 and issue a new one with serial number 03. > > > 6) You create a new CRL and sign it with your CA's private key (so it > > > can be checked for authenticity) and plonk it onto your server. > > > 7) Hacker 'Bad Guy' tries to use the stolen laptop to connect with the > > > original 'Joe Bloggs' cert that has serial number 01. This fails as the > > > server sees in the CRL that serial 01 is revoked. > > > 8) Mary drops her PDA into the toilet and to make sure no Sewer rats try > > > and hack your system, you revoke cert serial number 02 and issue her > > > with cert serial number 04. > > > 9) You gen a new CRL and ploke it over the top of the old one you > > > previously put on the server. This new CRL now has serial numbers 01 and > > > 02 in it's list, so when 'Sewer Rat' and 'Bad Guy' both try and connect > > > to your server they can't because the server know that both serials are > > > revoked, but the new certs with serial 03 and 04 still work fine. > > > > > > This is much better than commenting out a username as it means that the > > > Common Names in the new certs can be the same as the old revoked ones > > > which will mean you won't have to change anything else that relies on > > > common name (Like Client config files on the server). > > Oops, I got my cert serial numbers confused :( Just pretend that the > > server cert has a serial number of 00, Joe Bloggs has serial 01 and that > > Mary Smith's cert has a serial number of 02 for the purpose of my > > explanation. > > > > Roland > > > > Thanks for the explanation. I think I'm good on most of those concepts > involving what I want the revoke to ultimately do. I just have to get > there. > > You mention that "the system keeps a list of the serial numbers of all > the certs that have been revoked." Where is this file? Is it human > readable? > > > Un-revoking certs is possible. You find out where the system is storing > > the list of revoked serial numbers and you get rid of the one you want > > to 'Un-revoke'. > > I assume once you remove it, you have to create a new crl.pem? Is > there a specific command for this? > > Thanks again. > > > Andrew > ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |