creating and revoking certificates for clients

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
uri.steinberger
OpenVpn Newbie
Posts: 4
Joined: Fri Nov 18, 2011 6:47 am
Location: Melbourne, Australia

creating and revoking certificates for clients

Post by uri.steinberger » Mon Nov 21, 2011 7:17 am

Hi,
If anyone can help me understand how this works, as I got some understanding but it's kinda scattered, I need to know if I'm on the right track, and also if you could give me a solution I would be grateful.

1) I created a key as the following: while i was on directory /etc/ssl directory of the server:
I input: openssl req -config openssl.cnf -new -nodes -keyout random.com/private/usteinberger@random.com.key -out usteinberger@random.com.csr -days 365 (I could make it valid for more time, but it's better this way)


2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/usteinberger@random.com.crt -infiles usteinberger@random.com.csr

In response it asked me for the password: (Enter pass phrase for ./random.com/private/root@random.com.key:
which i typed the password, and it asked me and finish signing my key.

3) After this I can delete the csr as it's the just the file that is used to sign the certificate to create the crt file which is the initial signed certificate.
I also checked to the see if it generated a line in the index.txt, and saw that it generated a line for my certificate which is good:
V 242202030224Z B3D77C0422463K39 unknown /C=AU/ST=VIC/L=Melbourne/O=Random Company Ltd/OU=random.com/CN=Uri Steinberger/emailAddress=uri2013@gmail.com
which B3D77C0422463K39.pem is created as well in the newcerts.

After creating the key, I copied the usteinberger@random.com.key from the private folder and set it for my openvpn which worked.
Problem is that I wish to cancel this to check the security that it will not grant me access after deleting the certificate.
I read in forums and also on searching for soltions I stumbled upon information that I have to both revoke the certificate client that I wish to remove, and also crl-verify.
I revoked the certificate using : "openssl ca -config openssl.cnf -revoke

random.com/certs/usteinberger\@random.com.crt" (i was on the directory /etc/ssl/)

So it revoked it, showing also
B3D77C0422463K39.

I assume crl-verify is actually happening everytime the server negotiates with clients as in the openvpn server config: there is a line in the openvpn.conf of the server; crl-verify /etc/ssl/random.com.crl,
problem is that the actual certificate of clients are not on this server but are on a different server, as this openssl is configured with 2 certificate level.

I can still vpn into the server despite revoking the certificate.
I tried an alternative revoking: "openssl ca -revoke /etc/ssl/random.com/newcerts/B3D77C0422463K39.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./random.com/private/root@random.com.key:
ERROR:Already revoked, serial number B3D77C0422463K39.

Which shows that is already revoked, but I can still vpn.

If the case is that I have to crl-verify, how do i do this?
Another is that because I may be using my private key (usteinberger@random.com.key), and revoking and crl-verification will not work on private keys?



this is the server openvpn.conf:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/mat.random.com.crt
key /etc/ssl/private/mat.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem

comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log


the openvpn config file is set in a different server which also has its' own keys.

Please help me because I wish to understand this well before I distribute certificates to clients to vpn into my server.
Another question is about -x509; what does it exactly do, and did I have to use this as I read some stuff that it actually contains a prublic key in the private key;
Did I have to use -x509? or what's the best use you can suggest for me on doing this?

cheers,
Uri

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: creating and revoking certificates for clients

Post by janjust » Mon Nov 21, 2011 8:55 am

this is more about PKI and OpenSSL than about OpenVPN;
after revoking a certificate you need to regenerate and redistribute the CRL file:

Code: Select all

openssl ca -gencrl -out random.com.crl
the updated CRL will take effect the next time the client logs in - existing connections will not be affected.

uri.steinberger
OpenVpn Newbie
Posts: 4
Joined: Fri Nov 18, 2011 6:47 am
Location: Melbourne, Australia

Re: creating and revoking certificates for clients

Post by uri.steinberger » Tue Nov 22, 2011 2:59 am

Hi janjust,

thanks for replying, but I can still vpn into the server despite commencing the command you specified: "openssl ca -gencrl -out random.com.crl".


The other thing that I didn't mention clearly is that clients vpn to a server by with a hostname aurora that just has it's own certificate aurora.random.com.crt and root@random.com.crt.

the other server is in regards to the previous post as that was the server with the client certificates (where I guess I have my issue).

Hopefully this gives you more information that may provide me a solution on sucessfully revoking and removing client certificates.

I really appreciate your help on this!

Best regards,
Uri

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: creating and revoking certificates for clients

Post by janjust » Tue Nov 22, 2011 9:53 pm

does the server to which the clients connect have the config line

Code: Select all

crl-verify /etc/ssl/random.com.crl
? does it have that fiile and is it up to date?

if so , then add 'verb 7' to that server config file, restart both client and server and try to connect; post the server log file here so we can inspect what inspect what is happening.

uri.steinberger
OpenVpn Newbie
Posts: 4
Joined: Fri Nov 18, 2011 6:47 am
Location: Melbourne, Australia

Re: creating and revoking certificates for clients

Post by uri.steinberger » Wed Nov 23, 2011 2:26 am

Hi Janjust,

thanks for the reply, very much appreciating your help.

By the way I realized a typo in the name of the server that clients connect to the name of the server is not mat, it's aurora

Well the answer to your question. I checked the attributes of the files on both servers. the server that clients connect to, the file is not updated as I could see, you can take a look on the following attribute of /etc/ssl/random.com.crl of aurora:

File: `random.com.crl'
Size: 739 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 403258306 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-02-14 18:50:54.600503371 +1100
Modify: 2011-02-14 18:50:54.600503371 +1100
Change: 2011-02-14 18:50:54.600503371 +1100

The following is the attribute of /etc/ssl/random.com.crl of the server that all client certificates are managed which looks like this one only gets updated obviously:
File: `random.com.crl'
Size: 893 Blocks: 8 IO Block: 4096 regular file
Device: 821h/2081d Inode: 805823154 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-02-14 18:42:40.464359031 +1100
Modify: 2011-11-22 13:42:23.820858178 +1100
Change: 2011-11-22 13:42:23.820858178 +1100



This is just the right typo of the config of openvpn of the server Aurora:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/aurora.random.com.crt
key /etc/ssl/private/aurora.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem

comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log



Best regards,
Uri

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: creating and revoking certificates for clients

Post by janjust » Thu Nov 24, 2011 8:46 am

the CRL file on 'aurora' is not updated automatically - you need to copy over the new .crl file from the place where you generated it to the VPN server. A restart of the openvpn process is not required.

uri.steinberger
OpenVpn Newbie
Posts: 4
Joined: Fri Nov 18, 2011 6:47 am
Location: Melbourne, Australia

Re: creating and revoking certificates for clients

Post by uri.steinberger » Sat Nov 26, 2011 1:24 pm

Thanks Janjust!!!

That worked, thanks so much for your help, highly appreciated this!!!!!!!!!
another question i have, as I'm not so sure on how i create this certificates in the best secure possible way;

I create them in the following procedure as I mentioned earlier:

1) openssl req -config openssl.cnf -new -nodes -keyout random.com/private/usteinberger@random.com.key -out usteinberger@random.com.csr -days 365

2) 2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/usteinberger@random.com.crt -infiles usteinberger@random.com.csr
then i enter the passphrase password

After creating the key, I copied the usteinberger@random.com.key from the private folder and set it for my openvpn which worked.



What's a better way, because i have a feeling this is a wrong procedure of copying keys. Also copying the private key in this way doesn't sound good to me (is there a way to use a public key instead and not the private key that is stored in the private folder?
or what best secure suggestion may you recommend for me to use?


my client setting is as follows also if you wish to take a look at that:

client
dev tap
proto udp
remote aurora.random.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca root@random.com.crt
cert usteinberger@random.com.crt
key usteinberger@random.com.key (2 certificate files and 1 key that i have on my side as well)
comp-lzo
verb 3


when i also check what's written at the top of my key which i created (usteinberger@random.com.key) it just says
-----BEGIN PRIVATE KEY-----
some long password here......
-----END PRIVATE KEY-----


I wish to make it encrypted private key, as i believe that is what it should be to make it more secure possible.

Is it also possible to update these security certificates as if they are about to expire, and how do I do that?


Best regards,
Uri

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: creating and revoking certificates for clients

Post by janjust » Sun Nov 27, 2011 11:02 pm

glad to hear it is now working...

your questions are more about setting up a Private Key Infrastructure (PKI) than about OpenVPN (but relevant nethertheless).
When setting up a PKI it is very important to think about distributing the private keys. The "usual" method is to use a separate secure channel to copy private keys to the clients (e.g. 'scp') or to generate the private keys on the client themselves. This depends a bit on your setup. The private key passphrase causes the key to be encrypted (you need to the passphrase in order to decrypt it), so that should be safe as long as the passphrase is long enough. However, you still need to think about the distribution of the private keys.

As for checking for (nearly) expired certs: that is something that can be done on the CA machine: it can check for expired certs and warn the user ; the CA can download a new certificate (based on the old private key) , which the user would need to download and install. Again, there are ways to automate this, but they all depend on your setup: OpenVPN does not supply this for you.

drory
OpenVpn Newbie
Posts: 1
Joined: Mon Aug 12, 2024 9:29 pm

Re: creating and revoking certificates for clients

Post by drory » Mon Aug 12, 2024 10:00 pm

Is it possible to revoke a user based only on its CN value inside the certificate?

Post Reply