|
|
Erich Titl wrote:
>
>
> Aidan Anderson wrote:
>> Hi List,
>>
>> I have been testing the setup of OpenVPN 2.0 and easy-rsa version 2.0
>> for possible deployment in our network. I have come across an issue
>> with revoking certificates.
>>
>> First off, it allows you to create multiple certificates with the
>> same common name. This is pointed out in the documentation as useful
>> for creating a certificate with the same common as a previously
>> revoked certificate (lost passwords etc.). However, if you create 2
>> certificates with the same common name and issue the ./revoke-full
>> command on the common name, it revokes the most recently created
>> certificate. If you issue the revoke command again with the same
>> common name, it says that the certificate is already revoked. When I
>> tested connection to the server from a client PC, the revoked
>> certificate is rejected as expected but the certificate created
>> initially still works and you have no way of revoking it. Having a
>> certificate out in the field that you cannot revoke is obviously very
>> dangerous and will give you a big headache if you have to create a
>> new CA an re-issue all your certificates.
>
> Typically you need to revoke a certificate _before_ you can reissue it.
>>
>> How have other people coped with this? Would the best plan be to
>> write a wrapper for the revoke-full command to ensure that a common
>> name cannot be created if a valid one already exists? I could do
>> this by reading the contents of index.txt.
>
> easy-rsa is what it is called, a simple easy wrapper for openssl.
> Depending on the number of certificates you want to handle, you
> probably need another tool.
> I don't have many certs to support and went for roCA, a small CDrom
> based tool which I run in a virtual machine. Not too well suited for
> large numbers of certificates but it works for me.
>
> cheers
>
> Erich
Thanks for the reply Erich, I appreciate that common sense should
prevail when using this type of tool.
As many people will be using it to creating keys, I have created a small
wrapper for revoke-full to avoid the situation ever arising. I've added
the relevant part of the script below in case anyone finds it useful
regards,
Aidan
Set $key_dir and $rsa_dir to match your key and rsa directories
## Validate the supplied common name.
## If the common name doesn't exist then add it.
## If the common name exists and is active then don't add it.
## If the common name exists but has been previously revoked, ask
the user to make the decision.
#
cd $key_dir
add_common_name="no"
cert_state=`cat index.txt|grep "CN=$common_name"|tail -n1|cut -c1`
if [ -z $cert_state ]; then
add_common_name="yes"
else
if [ $cert_state = "R" ]; then
echo; echo -n "This common name was previously revoked, are
you sure you want to use it again? [y/n]:"
read yorn
if [ $yorn ]; then
if [ $yorn = "y" ]; then
add_common_name="yes"
else
message="Aborting, common name not added."
fi
else
message="Aborting, common name not added."
fi
else
message="Aborting, this common name cannot be added because it
is currently active."
fi
fi
## Create certificate if validated to do so.
#
if [ $add_common_name = "yes" ]; then
cd $rsa_dir
. ./vars
./build-key $common_name
else
echo; echo "$message"; echo
fi
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|