A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked using the easy-rsa
script and how OpenVPN can be configured to make use of a Certificate Revocation List (CRL).
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux, but it can easily be run on Windows or Mac OS.
$ cd /etc/openvpn/cookbook $ . ./vars $ ./build-key client4 [...]
$ ./revoke-full client4 Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key: Revoking Certificate 06. Data Base Updated Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key: client4.crt: C = US, O = Cookbook 2.4, CN = client4 error 23 at 0 depth lookup:certificate revoked
$ openssl crl -text -noout -in keys/crl.pem Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/[email protected] Last Update: Apr 22 15:54:10 2016 GMT Next Update: May 22 15:54:10 2016 GMT Revoked Certificates: Serial Number: 06 Revocation Date: Apr 22 15:54:08 2016 GMT Signature Algorithm: sha256WithRSAEncryption 12:8a:f0:b4:3e:aa:5b:a1:13:64:41:c7:0b:46:ef:00:99:50: 6b:72:b8:2e:ff:93:eb:9b:7e:63:9e:8d:78:63:e8:96:44:30: 5b:eb:3d:4a:a4:2a:36:1e:8c:c6:cd:11:63:b1:d5:88:31:46:
A CRL contains a list of certificate serial numbers that have been revoked. Each serial number can be handed out by a CA only once, so this serial number is unique to this particular CA. The CRL is signed using the CA's private key, ensuring that the CRL is indeed issued by the appropriate party.
The question "what exactly is needed to revoke a certificate" is often asked, so the following section goes a bit deeper into this.
In order to revoke a certificate, the certificate subject ("DN") is required as well as the certificate serial number. If a certificate is lost, then it is simply not possible to revoke it. This shows how important it is to do proper PKI management, including backing up the certificates that have been handed out to users.
18.224.69.83