How to revoke OpenVPN client certificate in Debian

debian openvpn

I used the easy-rsa/2.0 programs to build server and client certificates for OpenVPN. I copied the client ones to the clients along with ca.crt. All good.

I now need to revoke a client certificate from a stolen laptop. In /usr/share/doc/openvpn/examples/easy-rsa/2.0 there's a revoke script. I've run this successfully and it says "Data Base Updated". It's created some files in a subdir of the examples/doc folder.

I've copied the created crl.pem to /etc/openvpn/crl.pem and I've added crl-verify /etc/openvpn/crl.pem to server.conf.

Is there any way I can verify that I've done the right thing and that it will indeed block access?

Also, I'm not clear where this "Data Base" is stored or what it refers to? Is there any way to inspect this database?


Solution 1:

On easy-rsa directory there's a 'revoke-full' file. When you run this script with your user/key as parameter, index.txt file on easy-rsa/keys directory will be updated.

You'll see an 'R' (for Revoked) on the first column from the left for your user.

Solution 2:

On my server I didn't have the easy-rsa scripts, but you can revoke OpenVPN client certificates without easy-rsa manually using openssl.

A lot of the information is taken from this useful resource but if your OpenVPN server is set up like mine, the certificate authority is configured alongside the OpenVPN server settings, with the client certificates generated on-server (I use Ansible + Sovereign to set up certificates for a number of users all at once).

# as root in /etc/openvpn
openssl ca -config openssl-server-certificate.cnf -revoke /path/to/client.crt

This revokes the certificate and updates the database, but you still need to make sure that OpenVPN is checking a certificate revocation list so edit the server.conf and check for a line starting with crl-verify. If you don't find one, then add it:

crl-verify /usr/share/openvpn/openssl-server.crl

(You can use any path you want, but most OpenVPN servers are configured to run as nobody:nobody so you will need some path that is world executable - not /etc/openvpn)

And finally tell OpenSSL to regenerate the revocation list

openssl ca -config openssl-server-certificate.cnf -gencrl -out /usr/share/openvpn/openssl-server.crl

(or wherever your revocation list lives). Restart the OpenVPN service and it should pull in the changes to the config and use the CRL when verifying connection requests - if the certificate is revoked the connection will be dropped.

Solution 3:

Use 

./list-crl

from easy-rsa directory to display serial numbers of revoked certificates.

Also check the openvpn logs for "CRL CHECK FAILED" message.

Related

iSCSI separation from Ethernet via VLAN
IPTABLES allow connection to a list of IPs to a specific user (ip) - block all the rest from this user only
How to direct a custom domain at a particular tweet [closed]
Mail from Teams forwarded to Gmail marked as spam due to DMARC failure
Location redirect from domain to another one in nginx
Will this DD command work?
nfs file transfers fail, "cp: cannot stat 'dir_name': No such file or directory" but sshfs works fine
DMARC reporting unexpected SPF IP but DKIM still passes
Can I make `user` objectClass to inherit attributes from my custom `xyz` objectClass?
Image not display after using nginx
Best solutions for auto deployment of multiple server applications
Unable to list contents/remove directory (linux ext3)