Revoking certificate

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
penguinpupil
OpenVpn Newbie
Posts: 2
Joined: Tue Mar 13, 2018 7:30 pm

Revoking certificate

Post by penguinpupil » Tue Mar 13, 2018 8:09 pm

Hello,

I am having troubles revoking certificates. I followed the instructions here:

https://openvpn.net/index.php/open-sour ... tml#revoke

Openvpn version: 2.3.10-1ubuntu2.1
Server OS: Ubuntu 16.04.4 LTS

Unfortunately output of

Code: Select all

 ./revoke-full client1

looks like this

Code: Select all

Using configuration from /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf
unable to load certificate
139926510765720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
Using configuration from /etc/openvpn/easy-rsa2/openssl-1.0.0.cnf
unable to load certificate
139667813103256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
I performed the comand in the "easy-rsa" directory and did start with

Code: Select all

. ./vars

All certificates where in the specified place.

I checked forums and internet and could not find a solution. Can anybody give me a hint how to solve the issue?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Revoking certificate

Post by TinCanTech » Wed Mar 14, 2018 2:02 pm

penguinpupil wrote:
Tue Mar 13, 2018 8:09 pm
Openvpn version: 2.3.10-1ubuntu2.1
You should consider upgrading:
https://community.openvpn.net/openvpn/w ... twareRepos

You are using Easyrsa2 and should consider upgrading that too:
https://github.com/OpenVPN/easy-rsa/releases
penguinpupil wrote:
Tue Mar 13, 2018 8:09 pm
unable to load certificate 139926510765720:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
Looks like something wrong with your certificate ..

Check it against this:

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fb:18:65:7e:39:31:e3:b4:aa:9b:f2:42:e9:21:25:2a
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=CORE-CA
        Validity
            Not Before: Mar  3 18:39:07 2018 GMT
            Not After : Feb 29 18:39:07 2028 GMT
        Subject: CN=core-cli-a-03
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub: 
                    04:49:1e:b9:e5:d4:d0:55:c5:80:5f:ed:87:11:ed:
                    28:0e:66:0b:82:bb:aa:bc:1d:01:a5:58:fb:eb:ed:
                    a2:07:57:d5:6b:ad:ff:8f:0c:f8:01:b0:f1:9f:7c:
                    fe:1d:0d:bd:17:f6:f2:56:ba:98:03:bb:e1:39:8e:
                    66:e1:61:d6:0c:74:06:70:fb:23:7e:6d:1f:fa:a5:
                    9e:c8:27:7b:b9:6e:c3:1d:8a:b6:53:4e:4e:86:e8:
                    71:30:dc:38:e6:eb:d3
                ASN1 OID: secp384r1
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                0D:26:5D:A0:09:BB:57:F3:A9:7B:DF:F6:F2:3E:22:C7:EF:E2:71:1B
            X509v3 Authority Key Identifier: 
                keyid:88:BF:66:17:18:A5:7A:8F:C8:90:31:7C:60:CD:6B:ED:77:D7:A6:21
                DirName:/CN=CORE-CA
                serial:81:DE:BB:31:E8:52:BD:1F

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: ecdsa-with-SHA256
         30:66:02:31:00:b9:4f:6d:c9:4e:a1:50:18:50:3e:47:1e:1e:
         59:30:e1:58:70:90:5c:4f:7b:c1:e2:23:ba:aa:68:9b:71:5a:
         a1:fb:b7:82:50:2e:c8:b3:93:93:e1:b8:01:70:f8:46:88:02:
         31:00:a4:86:90:ce:1f:4d:d9:17:a4:92:cf:3f:e5:d3:48:3d:
         4f:64:72:d7:6a:33:9d:4e:d7:b9:c0:43:a9:5a:e7:6d:00:ce:
         7f:f9:fc:fc:7c:f7:0b:dd:4a:a5:ac:f6:11:7b
-----BEGIN CERTIFICATE-----

< snipped certificate data >

-----END CERTIFICATE-----

penguinpupil
OpenVpn Newbie
Posts: 2
Joined: Tue Mar 13, 2018 7:30 pm

Re: Revoking certificate

Post by penguinpupil » Wed Mar 14, 2018 8:40 pm

:D Thanks TinCanTech, you have had the right idea. The client1.crt was totally empty. I have honestly no idea why. But anyhow, I could revoke the certificate as described by copying my backup certificate back. I will consider your update recommendations, as it is probably a good idea to start once again from the green field with the lessons I have learned.

Problem is solved. How do I change the status of this topic?

Post Reply