OpenVPN certificate removal and connecting with no certificate file on server

certificate openvpn

Solution 1:

The plain answer is it does not work because you've got it all wrong.

Your basic misconception seems to lie in the idea that OpenVPN and the Certificate Authority do have a communication channel so OpenVPN would automagically know which certificates you want to allow. This is not the case. OpenVPN and the Certificate Authority are completely separate entities (even if they both reside on the same host) and do not have any communication whatsoever between each other.

The CA "signs" certification requests (basically public keys bundled with identification information like the host name) by encrypting a hash of the certification request with its own private key. What OpenVPN does is checking whether a) it can decrypt the hash using the public key of the CA (which it has, typically residing in a ca.crt file somewhere) and checking if the hash is correct for the given certificate. It does not require nor use any "live" connections to the CA for any of this.

You cannot revoke a certificate by deleting it from the CA's directory (note that if you have deleted the client certificate and it was your only copy, openssl ca would not allow you revoke it any more) or changing the index.txt (this file is just an indication for openssl ca about the state of the available certificates). What you need to do instead is

  1. run openssl ca -revoke <certificate file> to revoke the certificate in the internal OpenSSL CA database (basically adding the revocation information in the index.txt)
  2. create a certificate revocation list using openssl ca -gencrl -out ca.crl
  3. copy this revocation list to the OpenVPN revocation list file (see the crl-verify directive in the OpenVPN config file)
  4. see OpenVPN deny the connection on the next certificate check

If you are using the easy-rsa shell wrapper script set for OpenSSL CA, see the OpenVPN section on certificate revocation for a more detailed documentation on how to achieve the above using the easy-rsa scripts. The basic procedure is

# cd into the easy-rsa directory
cd <somewhere>/easy-rsa
# load your CA-related variables into the shell environment from the ./vars file
. ./vars
# run the revoke script for <clientcert.pem>
./revoke-full clientcert

you would find the crl.pem in the $KEY_DIR directory as defined in your ./vars file.

Related

Where is the Create New Connection button in the Connections panel in IIS 8?
What is the danger in having a fully used SWAP in an Ubuntu server?
postfix error unused parameter
In a Win7 computer that belongs to a domain, how do I append DNS search list entries?
What is the context of Mark Twain's "If you don't like the weather…" quote?
The meaning of "People say that life is the thing, but I prefer reading."
What do references like "Docc Rom." and similar mean? [closed]
I'm 25 (years old)
Meaning of "we are poised on the brink of dramatic changes"
Category term for "polite", and "offensive"
"I've been working here since two months ago" [duplicate]
Why is the feminine equivalent of an earl a countess rather than an earless?