Revoking certificates
A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked using the easy-rsa
script and how OpenVPN can be configured to make use of a Certificate Revocation List (CRL).
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux, but it can easily be run on Windows or Mac OS.
How to do it...
First, we generate a certificate:
$ cd /etc/openvpn/cookbook $ . ./vars $ ./build-key client4 [...]
Then, we immediately revoke it:
$ ./revoke-full client4 Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key: Revoking Certificate 06. Data Base Updated Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf Enter pass phrase for /etc/openvpn/cookbook...