1111 | | The private key associated with the certificate is compromised or stolen. |
1112 | | The user of an encrypted private key forgets the password on the key. |
1113 | | You want to terminate a VPN user's access. |
1114 | | |
1115 | | Example |
1116 | | |
1117 | | As an example, we will revoke the client2 certificate, which we generated above in the "key generation" section of the HOWTO. |
1118 | | |
1119 | | First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation" section above. On Linux/BSD/Unix: |
1120 | | |
1121 | | . ./vars |
1122 | | ./revoke-full client2 |
1123 | | |
| 1112 | * The private key associated with the certificate is compromised or stolen. |
| 1113 | * The user of an encrypted private key forgets the password on the key. |
| 1114 | * You want to terminate a VPN user's access. |
| 1115 | |
| 1116 | == Example == |
| 1117 | |
| 1118 | As an example, we will revoke the '''client2''' certificate, which we generated above in the "key generation" section of the HOWTO. |
| 1119 | |
| 1120 | First open up a shell or command prompt window and cd to the '''easy-rsa''' directory as you did in the "key generation" section above. On Linux/BSD/Unix: |
| 1121 | {{{ |
| 1122 | . ./vars |
| 1123 | ./revoke-full client2 |
| 1124 | }}} |
1130 | | |
1131 | | Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf |
1132 | | DEBUG[load_index]: unique_subject = "yes" |
1133 | | Revoking Certificate 04. |
1134 | | Data Base Updated |
1135 | | Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf |
1136 | | DEBUG[load_index]: unique_subject = "yes" |
1137 | | client2.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client2/emailAddress=me@myhost.mydomain |
1138 | | error 23 at 0 depth lookup:certificate revoked |
1139 | | |
| 1131 | {{{ |
| 1132 | Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf |
| 1133 | DEBUG[load_index]: unique_subject = "yes" |
| 1134 | Revoking Certificate 04. |
| 1135 | Data Base Updated |
| 1136 | Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf |
| 1137 | DEBUG[load_index]: unique_subject = "yes" |
| 1138 | client2.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client2/emailAddress=me@myhost.mydomain |
| 1139 | error 23 at 0 depth lookup:certificate revoked |
| 1140 | }}} |
1147 | | CRL Notes |
1148 | | |
1149 | | When the crl-verify option is used in OpenVPN, the CRL file will be re-read any time a new client connects or an existing client renegotiates the SSL/TLS connection (by default once per hour). This means that you can update the CRL file while the OpenVPN server daemon is running, and have the new CRL take effect immediately for newly connecting clients. If the client whose certificate you are revoking is already connected, you can restart the server via a signal (SIGUSR1 or SIGHUP) and flush all clients, or you can telnet to the management interfaceand explicitly kill the specific client instance object on the server without disturbing other clients. |
1150 | | |
1151 | | |
1152 | | While the crl-verify directive can be used on both the OpenVPN server and clients, it is generally unnecessary to distribute a CRL file to clients unless a server certificate has been revoked. Clients don't need to know about other client certificates which have been revoked because clients shouldn't be accepting direct connections from other clientsin the first place. |
1153 | | |
1154 | | |
1155 | | The CRL file is not secret, and should be made world-readable so that the OpenVPN daemon can read it after root privileges have been dropped. |
1156 | | |
1157 | | |
1158 | | If you are using the chrootdirective, make sure to put a copy of the CRL file in the chroot directory, since unlike most other files which OpenVPN reads, the CRL file will be read after the chroot call is executed, not before. |
1159 | | |
1160 | | |
1161 | | A common reason why certificates need to be revoked is that the user encrypts their private key with a password, then forgets the password. By revoking the original certificate, it is possible to generate a new certificate/key pair with the user's original common name. |
1162 | | |
1163 | | |
1164 | | |
1165 | | Important Note on possible "Man-in-the-Middle" attack if clients do not verify the certificate of the server they are connecting to. |
| 1148 | == CRL Notes == |
| 1149 | |
| 1150 | * When the crl-verify option is used in OpenVPN, the CRL file will be re-read any time a new client connects or an existing client renegotiates the SSL/TLS connection (by default once per hour). This means that you can update the CRL file while the OpenVPN server daemon is running, and have the new CRL take effect immediately for newly connecting clients. If the client whose certificate you are revoking is already connected, you can restart the server via a signal (SIGUSR1 or SIGHUP) and flush all clients, or you can telnet to the management interfaceand explicitly kill the specific client instance object on the server without disturbing other clients. |
| 1151 | * While the crl-verify directive can be used on both the OpenVPN server and clients, it is generally unnecessary to distribute a CRL file to clients unless a server certificate has been revoked. Clients don't need to know about other client certificates which have been revoked because clients shouldn't be accepting direct connections from other clientsin the first place. |
| 1152 | * The CRL file is not secret, and should be made world-readable so that the OpenVPN daemon can read it after root privileges have been dropped. |
| 1153 | * If you are using the chrootdirective, make sure to put a copy of the CRL file in the chroot directory, since unlike most other files which OpenVPN reads, the CRL file will be read after the chroot call is executed, not before. |
| 1154 | * A common reason why certificates need to be revoked is that the user encrypts their private key with a password, then forgets the password. By revoking the original certificate, it is possible to generate a new certificate/key pair with the user's original common name. |
| 1155 | |
| 1156 | = Important Note on possible "Man-in-the-Middle" attack if clients do not verify the certificate of the server they are connecting to = |
1169 | | [OpenVPN 2.1 and above]Build your server certificates with specific key usage and extended key usage. The RFC3280 determine that the following attributes should be provided for TLS connections: |
1170 | | |
1171 | | |
1172 | | Mode Key usage Extended key usage |
1173 | | Client digitalSignature TLS Web Client Authentication |
1174 | | keyAgreement |
| 1160 | 1. OpenVPN 2.1 and above: Build your server certificates with specific key usage and extended key usage. |
| 1161 | |
| 1162 | The RFC3280 determine that the following attributes should be provided for TLS connections: |
| 1163 | |
| 1164 | {{{#!html |
| 1165 | <table border="1" cellspacing="0" cellpadding="8"> |
| 1166 | <tbody> |
| 1167 | <tr><th>Mode</th><th>Key usage</th><th>Extended key usage</th></tr> |
| 1168 | <tr> |
| 1169 | <td rowspan="3">Client</td> |
| 1170 | <td>digitalSignature</td> |
| 1171 | <td rowspan="3">TLS Web Client Authentication</td> |
| 1172 | </tr> |
| 1173 | <tr> |
| 1174 | <td>keyAgreement</td> |
| 1175 | </tr> |
| 1176 | <tr> |
| 1177 | <td>digitalSignature, keyAgreement</td> |
| 1178 | </tr> |
| 1179 | <tr> |
| 1180 | <td rowspan="2">Server</td> |
| 1181 | <td>digitalSignature, keyEncipherment</td> |
| 1182 | <td rowspan="2">TLS Web Server Authentication</td> |
| 1183 | </tr> |
| 1184 | <tr> |
| 1185 | <td>digitalSignature, keyAgreement</td> |
| 1186 | </tr> |
| 1187 | </tbody> |
| 1188 | </table> |
| 1189 | }}} |
| 1190 | |
| 1191 | Mode Key usage Extended key usage |
| 1192 | Client digitalSignature TLS Web Client Authentication |
| 1193 | keyAgreement |