Unrevoking certificate under Windows

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
8dqqz
OpenVpn Newbie
Posts: 7
Joined: Mon Mar 06, 2017 1:34 pm

Unrevoking certificate under Windows

Post by 8dqqz » Mon Mar 06, 2017 1:47 pm

Hi,

I'm using OpenVPN on Windows server 2012 and all seem to work fine. For testing purposes, I revoked a client certificate by doing:

Code: Select all

revoke-full mylaptop
and adding a

Code: Select all

crl-verify "<location>\\crl.pem"
to the server config file.
This also worked fine, except, I need to unrevoke the certificate now and I can't get that to work. To unrevoke this certificate I editted the index.txt file and changed the R of the specific certificate to V. Further more, and here's where it fails, I'm trying the command:

Code: Select all

openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"
But this gives me the following error:

Code: Select all

C:\Program Files\OpenVPN\easy-rsa\keys>openssl ca -gencrl -out "crl.pem" -config
 "$KEY_CONFIG"
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from $KEY_CONFIG
error loading the config file '$KEY_CONFIG'
10316:error:02001002:system library:fopen:No such file or directory:bss_file.c:1
75:fopen('$KEY_CONFIG','rb')
10316:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
10316:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.
c:195:
I suspect this is the culprit: "WARNING: can't open config file: /etc/ssl/openssl.cnf". How do I make the openssl command to look for the right folder instead of "/etc/ssl/openssl.cnf" ? Because that looks like a Linux location to me. Or if that has nothing to do with my issues, how can I unrevoke a client certificate on OpenVPN for Windows?

Thanks in advance.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unrevoking certificate under Windows

Post by TinCanTech » Mon Mar 06, 2017 2:15 pm

8dqqz wrote:I suspect this is the culprit: "WARNING: can't open config file: /etc/ssl/openssl.cnf". How do I make the openssl command to look for the right folder instead of "/etc/ssl/openssl.cnf"
You can create C:\etc\ssl\ and copy C:\Program Files\openvpn\bin\openssl.cnf to that location.

8dqqz
OpenVpn Newbie
Posts: 7
Joined: Mon Mar 06, 2017 1:34 pm

Re: Unrevoking certificate under Windows

Post by 8dqqz » Mon Mar 06, 2017 4:22 pm

Thanks for your response. There is no openssl.cnf in C:\Program Files\openvpn\bin\, however there is an openssl-1.0.0.cnf in C:\Program Files\openvpn\easy-rsa so I created c:\etc\ssl, copied the file to that location and renamed it to openssl.cnf but I get the same errors only without the can't open config file warning.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unrevoking certificate under Windows

Post by TinCanTech » Tue Mar 07, 2017 10:24 am

8dqqz wrote:Using configuration from $KEY_CONFIG
See easy-rsa\vars.bat for details.

8dqqz
OpenVpn Newbie
Posts: 7
Joined: Mon Mar 06, 2017 1:34 pm

Re: Unrevoking certificate under Windows

Post by 8dqqz » Wed Mar 08, 2017 11:33 am

TinCanTech wrote:
8dqqz wrote:Using configuration from $KEY_CONFIG
See easy-rsa\vars.bat for details.
Yeah default vars says:

Code: Select all

@echo off
rem Edit this variable to point to
rem the openssl.cnf file included
rem with easy-rsa.

set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_CONFIG=openssl-1.0.0.cnf
Changed it to

Code: Select all

@echo off
rem Edit this variable to point to
rem the openssl.cnf file included
rem with easy-rsa.

set HOME=c:\etc\ssl\
set KEY_CONFIG=c:\etc\ssl\openssl.cnf
And copied and renamed the config file to c:\etc\ssl as mentioned above but in both cases I still get:

Code: Select all

C:\Program Files\OpenVPN\easy-rsa>openssl ca -gencrl -out "crl.pem" -config "$KE
Y_CONFIG"
Using configuration from $KEY_CONFIG
error loading the config file '$KEY_CONFIG'
8308:error:02001002:system library:fopen:No such file or directory:bss_file.c:17
5:fopen('$KEY_CONFIG','rb')
8308:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:182:
8308:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c
:195:
So I thought I'd just try:
C:\Program Files\OpenVPN\easy-rsa>openssl ca -gencrl -out "crl.pem" -config "openssl-1.0.0.cnf"
Which gives me:

Code: Select all

Using configuration from openssl-1.0.0.cnf
entry 3: not revoked yet, but has a revocation date
Although all guides tell me to edit the index.txt and change the R to V before using the openssl command, this seem to cause the above output so I changed back the previously editted V back to R in index.txt and after that I used the openssl command which gives me no erros and generates the new crl.pem file. Is it save to assume that I first issue the openssl command and after that edit the index.txt file to change to the R to V? Is that the right way? Or am I missing something?

edit:
And I still can't seem to connect with the unrevoked certificate, so I guess something is not right. Still wondering about the correct order though.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unrevoking certificate under Windows

Post by TinCanTech » Wed Mar 08, 2017 1:20 pm

8dqqz wrote:entry 3: not revoked yet, but has a revocation date
That date is the problem because you now have an incorrect index.txt
8dqqz wrote:And I still can't seem to connect with the unrevoked certificate, so I guess something is not right
Presumably, because the date is still present.

I cannot recommend what you are trying to do because in all probability you will damage your PKI beyond repair and be left with security flaws. The recommended approach is to issue a new cert+key to your client.

But if you must persist, try google ..

8dqqz
OpenVpn Newbie
Posts: 7
Joined: Mon Mar 06, 2017 1:34 pm

Re: Unrevoking certificate under Windows

Post by 8dqqz » Fri Mar 10, 2017 11:22 am

Ok thanks. I just reinstalled the whole thing for the better.

Post Reply