Cleaning out old client certificates

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
dnilgreb
OpenVPN User
Posts: 21
Joined: Fri Mar 04, 2016 12:13 pm

Cleaning out old client certificates

Post by dnilgreb » Wed Mar 28, 2018 4:37 pm

I am running a private OpenVPN server (easy-RSA 3), and am trying to write my own web gui to manage it (with NodeJS).
In the process, I´ve added and revoked a bunch of client certs. Revocation works fine, none of the revoked clients can connect.

But since there are so many, and the names are along the lines of TestUser8 and RevokeThisUser14, I would like to completely delete them.
I know that I can delete certain files to be able to create a new cert wih the same name, but I´d like to remove them completely.
The index.txt file that contains all of them would be nicer to look at and manage if it were shorter. However, I do not want any revoked cert to be able to connect (obviously).
Can this be done? And if so, how?

If yes, will deleting also free up the IP address associated with deleted cert?
If no, is there a way to free up the IP addresses that are revoked and/or not in use by any valid cert so I can use them again?

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Cleaning out old client certificates

Post by Pippin » Wed Mar 28, 2018 5:01 pm

On the matter of
will deleting also free up the IP address associated with deleted cert?
The IP assignment happens on the moment the client connects, server reads the client ccd file on the fly every time one connects.
The server has no knowledge before the client connecting and after disconnecting.

dnilgreb
OpenVPN User
Posts: 21
Joined: Fri Mar 04, 2016 12:13 pm

Re: Cleaning out old client certificates

Post by dnilgreb » Wed Mar 28, 2018 8:12 pm

The way I interpret this:
The IP assignment happens on the moment the client connects
the server will never run out of IP addresses, so long as the number of valid certificates doesn´t exceed the size of the IP pool. Correct? Old IP addresses will be re-used when/if needed?

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Cleaning out old client certificates

Post by Pippin » Wed Mar 28, 2018 9:15 pm

the server will never run out of IP addresses, so long as the number of valid certificates doesn´t exceed the size of the IP pool
The server will never run out of IP addresses, so long as the number of clients doesn´t exceed the size of the IP pool.

The size of the pool determines the number of clients.
However it is not linked to certificates (or the number of), you have to manage that.
A CA can have 1000 certs even if the pool can house only 252 clients (--topology subnet and /24).

Removing old clients also means delete their ccd file and add new ones for new clients.

Post Reply