Checking expired/revoked certificates
The goal of this recipe is to give an insight into some of the internals of the OpenSSL CA commands. We will show how a certificate's status is changed from "Valid" to "Revoked", or "Expired".
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux but it can easily be run on Windows or Mac OS.
How to do it...
Before we can use plain
openssl
commands, there are a few environment variables that need to be set. These variables are not set in thevars
file by default:$ cd /etc/openvpn/cookbook $ . ./vars $ export KEY_NAME= $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl-1.0.0.cnf
Now, we can query the status of a certificate using its serial number:
$ cd keys $ openssl x509 -serial -noout -in server.crt serial=01 $ openssl ca -status 01 Using configuration from /etc/openvpn/cookbook...