Revoking certificates

A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked using the easy-rsa script and how OpenVPN can be configured to make use of a Certificate Revocation List (CRL).

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux, but it can easily be run on Windows or Mac OS.

How to do it...

  1. First, we generate a certificate:
    $ cd /etc/openvpn/cookbook
    $ . ./vars
    $ ./build-key client4
    [...]
    
  2. Then, we immediately revoke it:
    $ ./revoke-full client4
    Using configuration from /etc/openvpn/cookbook/openssl-
            1.0.0.cnf
    Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:
    Revoking Certificate 06.
    Data Base Updated
    Using configuration from /etc/openvpn/cookbook/openssl-
            1.0.0.cnf
    Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:
    client4.crt: C = US, O = Cookbook 2.4, CN = client4
    error 23 at 0 depth lookup:certificate revoked
    
  3. This will also update the CRL list. The CRL can be viewed using the command:
    $ openssl crl -text -noout -in keys/crl.pem
    Certificate Revocation List (CRL):
            Version 1 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4
                    CA/[email protected]
            Last Update: Apr 22 15:54:10 2016 GMT
            Next Update: May 22 15:54:10 2016 GMT
    Revoked Certificates:
        Serial Number: 06
            Revocation Date: Apr 22 15:54:08 2016 GMT
        Signature Algorithm: sha256WithRSAEncryption
             12:8a:f0:b4:3e:aa:5b:a1:13:64:41:c7:0b:46:ef:00:99:50:
             6b:72:b8:2e:ff:93:eb:9b:7e:63:9e:8d:78:63:e8:96:44:30:
             5b:eb:3d:4a:a4:2a:36:1e:8c:c6:cd:11:63:b1:d5:88:31:46:
    

How it works...

A CRL contains a list of certificate serial numbers that have been revoked. Each serial number can be handed out by a CA only once, so this serial number is unique to this particular CA. The CRL is signed using the CA's private key, ensuring that the CRL is indeed issued by the appropriate party.

There's more...

The question "what exactly is needed to revoke a certificate" is often asked, so the following section goes a bit deeper into this.

What is needed to revoke a certificate

In order to revoke a certificate, the certificate subject ("DN") is required as well as the certificate serial number. If a certificate is lost, then it is simply not possible to revoke it. This shows how important it is to do proper PKI management, including backing up the certificates that have been handed out to users.

See also

  • The next recipe, The use of CRLs
  • The recipe later in this chapter, Multiple CA's: stacking, using the -capath directive
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.69.83