OpenVPN Keys restored

[johnvh]

Our OpenVPN keys were restored to the OpenVPN key server using an older restore date and before it was identified many new certificates were created starting with the older restore dates next available serial number causing a duplicate of that serial number and pem for the previously created certificates.

The newly created certificates are using a uniq CN but the serial number and pem number were reissued causing the conflict. It appears that even though I have the original certificates they are associated with the original serial number / pem number. I can not update the index.txt file at the bottom of the file with an edited new serial number and pem number since the certificate (<cn>.crt) and the serial number pem (67.pem) both are associated with the newly reissued serial number and pem number (67.pem).

It does not help to vi 67.pem and change the serial number and pem number since it appears that the below command still sees the pem with original serial number at the time the certificate was issued.

openssl x509 -in 67.pem -noout -text

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 103 (0x67)

When I modify the (67.pem) and (cn.crt) to reference a different serial number and append to the end of the index.txt file it is still unable to create new certificates but more importantly not able to get the crl.pem updated when we need to revoke the original keys that are no longer acceptable given that we have reissued many new serial number pems that conflict with the original serial number pems.

If there is a way to update the crl.pem given these serial number pem conflicts? or update the index.txt so that these keys are accepted and will create a new certificate and also create a crl.pem when executing revoke-full.

[maikcat]

you CAN recreate your index.txt file if you have ALL certs...

Code: Select all

#!/bin/bash

if [ $# -eq 0 ]
then
  echo "Usage: $0 *.pem"
  exit 1
fi

for cert
do

  enddate=`openssl x509 -enddate -noout -in $cert | sed 's/notAfter=//' | awk '\
    { year=$4-2000;
      months="JanFebMarAprMayJunJulAugSepOctNovDec" ;
      month=1+index(months, $1)/3 ;
      day=$2;
      hour=substr($3,1,2) ;
      minutes=substr($3,4,2);
      seconds=substr($3,7,2);
      printf "%02d%02d%02d%02d%02d%02dZ", year, month, day, hour, minutes, seconds}'`

  serial=`openssl x509 -serial -noout -in $cert  |sed 's/serial=//'`
  subject=`openssl x509 -subject -noout -in $cert  |sed 's/subject= //'`

  echo "V       $enddate                $serial unknown $subject"
done

[johnvh]

maikcat,

That script will only recreate index.txt up to the point where the serial numbers do not conflict. I have all certs and I have tried to modify the .pem and .crt to try and assign different serial numbers and copy the pem to another .pem that does not conflict but as long as the certificates have conflicting serial numbers and .pem sequence numbers that script does not pick up all the certificates.

Remember, the original certificates from a previous date were restored and new certificates were created starting at the point in time. The certificates that got created were assigned the same .pem sequence number and serial number as the previous certificates. We did not catch the mistake until after many new certificates were issued.

[johnvh]

Let me clarify, the index.txt file does get created with entries for all the certificates but it still maintains the original .pem reference number (ie 67.pem) so the conflict remains in the index.txt file.

The current index.txt file has 207 certificates - the newly created index.txt has 280. The missing certificates get added to the index.txt but the (.pem) sequential number (ie 67) gets duplicated in the index.txt file and the original serial number 103 (0x67) old and new are still in conflict.

Any additional thoughts on this issue ?

[tsa_akis]

Hi, sorry for returning to this old post but I ran into the same problem as johnvh.

How did you eventually proceed with this problem?

In short:
Because the index.txt was reset, the serial_number started again from 1. Many new certificates were added before realizing the conflict. So now, there are two certificates with the same serial_number 1, 2, 3, ... referring to the "old" index.txt and the "new" index.txt respectively. The problem lies with CRL.pem, that identifies the revoked certificates based on their serial_number. So, old revoked certificates actually block the new certificates with the same serial_number. When I rebuilt the index.txt, I just have two different entries with the same serial_number...

Any suggestions?

I thought there should be a way to change the serial_number in the OpenSSL database (since changing it in the CRT/PEM file doesn't actually make a difference). Or is the serial_number fixed when signing the certificate and there is no turning back?