The goal of this recipe is to give an insight into some of the internals of the OpenSSL CA commands. We will show how a certificate's status is changed from "Valid" to "Revoked", or "Expired".
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux but it can easily be run on Windows or Mac OS.
openssl
commands, there are a few environment variables that need to be set. These variables are not set in the vars
file by default:$ cd /etc/openvpn/cookbook $ . ./vars $ export KEY_NAME= $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl-1.0.0.cnf
$ cd keys $ openssl x509 -serial -noout -in server.crt serial=01 $ openssl ca -status 01 Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf 01=Valid (V)
This shows that our OpenVPN server certificate is still valid.
$ openssl x509 -serial -noout -in client4.crt serial=06 $ openssl ca -status 06 Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf 08=Revoked (R)
index.txt
in the /etc/openvpn/cookbook/keys
directory, we see:V 181013174924Z 01 unknown .../CN=openvpnserver R 190117155337Z 160422155408Z 06 unknown .../CN=client4
R
with an E
and we blank out the third field 160422155408Z
with spaces. This field is the timestamp when the certificate was revoked. The second line now becomes:E 190117155337Z 08 unknown .../CN=client4
$ openssl ca -status 06 Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf 08=Expired (E)
If we generate the CRL again, we see that the certificate has been "un-revoked":
$ openssl ca -gencrl -out crl.pem $ openssl crl -text -noout -in crl.pem | head -8 Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/[email protected] Last Update: Apr 26 15:02:01 2016 GMT Next Update: May 26 15:02:01 2016 GMT No Revoked Certificates. Signature Algorithm: sha256WithRSAEncryption
The OpenSSL ca
command generates its CRL by looking at the index.txt
file. Each line that starts with an R
is added to the CRL, after which the CRL is cryptographically signed using the CA private key.
By changing the status of a revoked certificate to E
or even V
we can unrevoke a certificate.
In this recipe, we changed a certificate from Revoked
to Expired
. This will allow the client from the previous recipe to connect again to the server, as the certificate is still valid. The main reason to change a certificate from Valid
to Expired
in the indext.txt
file is to allow us to generate and hand out a new certificate using the exact same name.
3.145.107.1