Checking expired/revoked certificates

The goal of this recipe is to give an insight into some of the internals of the OpenSSL CA commands. We will show how a certificate's status is changed from "Valid" to "Revoked", or "Expired".

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux but it can easily be run on Windows or Mac OS.

How to do it...

  1. Before we can use plain openssl commands, there are a few environment variables that need to be set. These variables are not set in the vars file by default:
    $ cd /etc/openvpn/cookbook
    $ . ./vars
    $ export KEY_NAME=
    $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl-1.0.0.cnf
    
  2. Now, we can query the status of a certificate using its serial number:
            $ cd keys
            $ openssl x509 -serial -noout -in server.crt
            serial=01
            $ openssl ca -status 01
            Using configuration from /etc/openvpn/cookbook/openssl-
            1.0.0.cnf
            01=Valid (V)
    

    This shows that our OpenVPN server certificate is still valid.

  3. The certificate we revoked in the Revoking certificates recipe, shows the following:
            $ openssl x509 -serial -noout -in client4.crt      
            serial=06
            $ openssl ca -status 06
            Using configuration from /etc/openvpn/cookbook/openssl-     
            1.0.0.cnf
            08=Revoked (R)
    
  4. If we look at the file index.txt in the /etc/openvpn/cookbook/keys directory, we see:
    V 181013174924Z            01  unknown  .../CN=openvpnserver
    R 190117155337Z 160422155408Z  06  unknown  .../CN=client4
    
  5. Next, we modify this file using a normal text editor and replace the R with an E and we blank out the third field 160422155408Z with spaces. This field is the timestamp when the certificate was revoked. The second line now becomes:
    E  190117155337Z                 08 unknown .../CN=client4
    
  6. Now, if we check the status again we get:
    $ openssl ca -status 06
    Using configuration from /etc/openvpn/cookbook/openssl-
            1.0.0.cnf
    08=Expired (E)
    

    If we generate the CRL again, we see that the certificate has been "un-revoked":

              $ openssl ca -gencrl -out crl.pem
              $ openssl crl -text -noout -in crl.pem  | head -8
            Certificate Revocation List (CRL):
                    Version 1 (0x0)
                Signature Algorithm: sha256WithRSAEncryption
                    Issuer: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4     
                    CA/[email protected]
                    Last Update: Apr 26 15:02:01 2016 GMT
                    Next Update: May 26 15:02:01 2016 GMT
            No Revoked Certificates.
                Signature Algorithm: sha256WithRSAEncryption
    

How it works...

The OpenSSL ca command generates its CRL by looking at the index.txt file. Each line that starts with an R is added to the CRL, after which the CRL is cryptographically signed using the CA private key.

By changing the status of a revoked certificate to E or even V we can unrevoke a certificate.

There's more...

In this recipe, we changed a certificate from Revoked to Expired. This will allow the client from the previous recipe to connect again to the server, as the certificate is still valid. The main reason to change a certificate from Valid to Expired in the indext.txt file is to allow us to generate and hand out a new certificate using the exact same name.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.107.1