creating and revoking certificates for clients
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Nov 18, 2011 6:47 am
- Location: Melbourne, Australia
creating and revoking certificates for clients
Hi,
If anyone can help me understand how this works, as I got some understanding but it's kinda scattered, I need to know if I'm on the right track, and also if you could give me a solution I would be grateful.
1) I created a key as the following: while i was on directory /etc/ssl directory of the server:
I input: openssl req -config openssl.cnf -new -nodes -keyout random.com/private/usteinberger@random.com.key -out usteinberger@random.com.csr -days 365 (I could make it valid for more time, but it's better this way)
2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/usteinberger@random.com.crt -infiles usteinberger@random.com.csr
In response it asked me for the password: (Enter pass phrase for ./random.com/private/root@random.com.key:
which i typed the password, and it asked me and finish signing my key.
3) After this I can delete the csr as it's the just the file that is used to sign the certificate to create the crt file which is the initial signed certificate.
I also checked to the see if it generated a line in the index.txt, and saw that it generated a line for my certificate which is good:
V 242202030224Z B3D77C0422463K39 unknown /C=AU/ST=VIC/L=Melbourne/O=Random Company Ltd/OU=random.com/CN=Uri Steinberger/emailAddress=uri2013@gmail.com
which B3D77C0422463K39.pem is created as well in the newcerts.
After creating the key, I copied the usteinberger@random.com.key from the private folder and set it for my openvpn which worked.
Problem is that I wish to cancel this to check the security that it will not grant me access after deleting the certificate.
I read in forums and also on searching for soltions I stumbled upon information that I have to both revoke the certificate client that I wish to remove, and also crl-verify.
I revoked the certificate using : "openssl ca -config openssl.cnf -revoke
random.com/certs/usteinberger\@random.com.crt" (i was on the directory /etc/ssl/)
So it revoked it, showing also
B3D77C0422463K39.
I assume crl-verify is actually happening everytime the server negotiates with clients as in the openvpn server config: there is a line in the openvpn.conf of the server; crl-verify /etc/ssl/random.com.crl,
problem is that the actual certificate of clients are not on this server but are on a different server, as this openssl is configured with 2 certificate level.
I can still vpn into the server despite revoking the certificate.
I tried an alternative revoking: "openssl ca -revoke /etc/ssl/random.com/newcerts/B3D77C0422463K39.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./random.com/private/root@random.com.key:
ERROR:Already revoked, serial number B3D77C0422463K39.
Which shows that is already revoked, but I can still vpn.
If the case is that I have to crl-verify, how do i do this?
Another is that because I may be using my private key (usteinberger@random.com.key), and revoking and crl-verification will not work on private keys?
this is the server openvpn.conf:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/mat.random.com.crt
key /etc/ssl/private/mat.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem
comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log
the openvpn config file is set in a different server which also has its' own keys.
Please help me because I wish to understand this well before I distribute certificates to clients to vpn into my server.
Another question is about -x509; what does it exactly do, and did I have to use this as I read some stuff that it actually contains a prublic key in the private key;
Did I have to use -x509? or what's the best use you can suggest for me on doing this?
cheers,
Uri
If anyone can help me understand how this works, as I got some understanding but it's kinda scattered, I need to know if I'm on the right track, and also if you could give me a solution I would be grateful.
1) I created a key as the following: while i was on directory /etc/ssl directory of the server:
I input: openssl req -config openssl.cnf -new -nodes -keyout random.com/private/usteinberger@random.com.key -out usteinberger@random.com.csr -days 365 (I could make it valid for more time, but it's better this way)
2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/usteinberger@random.com.crt -infiles usteinberger@random.com.csr
In response it asked me for the password: (Enter pass phrase for ./random.com/private/root@random.com.key:
which i typed the password, and it asked me and finish signing my key.
3) After this I can delete the csr as it's the just the file that is used to sign the certificate to create the crt file which is the initial signed certificate.
I also checked to the see if it generated a line in the index.txt, and saw that it generated a line for my certificate which is good:
V 242202030224Z B3D77C0422463K39 unknown /C=AU/ST=VIC/L=Melbourne/O=Random Company Ltd/OU=random.com/CN=Uri Steinberger/emailAddress=uri2013@gmail.com
which B3D77C0422463K39.pem is created as well in the newcerts.
After creating the key, I copied the usteinberger@random.com.key from the private folder and set it for my openvpn which worked.
Problem is that I wish to cancel this to check the security that it will not grant me access after deleting the certificate.
I read in forums and also on searching for soltions I stumbled upon information that I have to both revoke the certificate client that I wish to remove, and also crl-verify.
I revoked the certificate using : "openssl ca -config openssl.cnf -revoke
random.com/certs/usteinberger\@random.com.crt" (i was on the directory /etc/ssl/)
So it revoked it, showing also
B3D77C0422463K39.
I assume crl-verify is actually happening everytime the server negotiates with clients as in the openvpn server config: there is a line in the openvpn.conf of the server; crl-verify /etc/ssl/random.com.crl,
problem is that the actual certificate of clients are not on this server but are on a different server, as this openssl is configured with 2 certificate level.
I can still vpn into the server despite revoking the certificate.
I tried an alternative revoking: "openssl ca -revoke /etc/ssl/random.com/newcerts/B3D77C0422463K39.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./random.com/private/root@random.com.key:
ERROR:Already revoked, serial number B3D77C0422463K39.
Which shows that is already revoked, but I can still vpn.
If the case is that I have to crl-verify, how do i do this?
Another is that because I may be using my private key (usteinberger@random.com.key), and revoking and crl-verification will not work on private keys?
this is the server openvpn.conf:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/mat.random.com.crt
key /etc/ssl/private/mat.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem
comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log
the openvpn config file is set in a different server which also has its' own keys.
Please help me because I wish to understand this well before I distribute certificates to clients to vpn into my server.
Another question is about -x509; what does it exactly do, and did I have to use this as I read some stuff that it actually contains a prublic key in the private key;
Did I have to use -x509? or what's the best use you can suggest for me on doing this?
cheers,
Uri
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: creating and revoking certificates for clients
this is more about PKI and OpenSSL than about OpenVPN;
after revoking a certificate you need to regenerate and redistribute the CRL file:
the updated CRL will take effect the next time the client logs in - existing connections will not be affected.
after revoking a certificate you need to regenerate and redistribute the CRL file:
Code: Select all
openssl ca -gencrl -out random.com.crl
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Nov 18, 2011 6:47 am
- Location: Melbourne, Australia
Re: creating and revoking certificates for clients
Hi janjust,
thanks for replying, but I can still vpn into the server despite commencing the command you specified: "openssl ca -gencrl -out random.com.crl".
The other thing that I didn't mention clearly is that clients vpn to a server by with a hostname aurora that just has it's own certificate aurora.random.com.crt and root@random.com.crt.
the other server is in regards to the previous post as that was the server with the client certificates (where I guess I have my issue).
Hopefully this gives you more information that may provide me a solution on sucessfully revoking and removing client certificates.
I really appreciate your help on this!
Best regards,
Uri
thanks for replying, but I can still vpn into the server despite commencing the command you specified: "openssl ca -gencrl -out random.com.crl".
The other thing that I didn't mention clearly is that clients vpn to a server by with a hostname aurora that just has it's own certificate aurora.random.com.crt and root@random.com.crt.
the other server is in regards to the previous post as that was the server with the client certificates (where I guess I have my issue).
Hopefully this gives you more information that may provide me a solution on sucessfully revoking and removing client certificates.
I really appreciate your help on this!
Best regards,
Uri
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: creating and revoking certificates for clients
does the server to which the clients connect have the config line
? does it have that fiile and is it up to date?
if so , then add 'verb 7' to that server config file, restart both client and server and try to connect; post the server log file here so we can inspect what inspect what is happening.
Code: Select all
crl-verify /etc/ssl/random.com.crl
if so , then add 'verb 7' to that server config file, restart both client and server and try to connect; post the server log file here so we can inspect what inspect what is happening.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Nov 18, 2011 6:47 am
- Location: Melbourne, Australia
Re: creating and revoking certificates for clients
Hi Janjust,
thanks for the reply, very much appreciating your help.
By the way I realized a typo in the name of the server that clients connect to the name of the server is not mat, it's aurora
Well the answer to your question. I checked the attributes of the files on both servers. the server that clients connect to, the file is not updated as I could see, you can take a look on the following attribute of /etc/ssl/random.com.crl of aurora:
File: `random.com.crl'
Size: 739 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 403258306 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-02-14 18:50:54.600503371 +1100
Modify: 2011-02-14 18:50:54.600503371 +1100
Change: 2011-02-14 18:50:54.600503371 +1100
The following is the attribute of /etc/ssl/random.com.crl of the server that all client certificates are managed which looks like this one only gets updated obviously:
File: `random.com.crl'
Size: 893 Blocks: 8 IO Block: 4096 regular file
Device: 821h/2081d Inode: 805823154 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-02-14 18:42:40.464359031 +1100
Modify: 2011-11-22 13:42:23.820858178 +1100
Change: 2011-11-22 13:42:23.820858178 +1100
This is just the right typo of the config of openvpn of the server Aurora:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/aurora.random.com.crt
key /etc/ssl/private/aurora.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem
comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log
Best regards,
Uri
thanks for the reply, very much appreciating your help.
By the way I realized a typo in the name of the server that clients connect to the name of the server is not mat, it's aurora
Well the answer to your question. I checked the attributes of the files on both servers. the server that clients connect to, the file is not updated as I could see, you can take a look on the following attribute of /etc/ssl/random.com.crl of aurora:
File: `random.com.crl'
Size: 739 Blocks: 8 IO Block: 4096 regular file
Device: 801h/2049d Inode: 403258306 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-02-14 18:50:54.600503371 +1100
Modify: 2011-02-14 18:50:54.600503371 +1100
Change: 2011-02-14 18:50:54.600503371 +1100
The following is the attribute of /etc/ssl/random.com.crl of the server that all client certificates are managed which looks like this one only gets updated obviously:
File: `random.com.crl'
Size: 893 Blocks: 8 IO Block: 4096 regular file
Device: 821h/2081d Inode: 805823154 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-02-14 18:42:40.464359031 +1100
Modify: 2011-11-22 13:42:23.820858178 +1100
Change: 2011-11-22 13:42:23.820858178 +1100
This is just the right typo of the config of openvpn of the server Aurora:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/aurora.random.com.crt
key /etc/ssl/private/aurora.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem
comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log
Best regards,
Uri
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: creating and revoking certificates for clients
the CRL file on 'aurora' is not updated automatically - you need to copy over the new .crl file from the place where you generated it to the VPN server. A restart of the openvpn process is not required.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri Nov 18, 2011 6:47 am
- Location: Melbourne, Australia
Re: creating and revoking certificates for clients
Thanks Janjust!!!
That worked, thanks so much for your help, highly appreciated this!!!!!!!!!
another question i have, as I'm not so sure on how i create this certificates in the best secure possible way;
I create them in the following procedure as I mentioned earlier:
1) openssl req -config openssl.cnf -new -nodes -keyout random.com/private/usteinberger@random.com.key -out usteinberger@random.com.csr -days 365
2) 2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/usteinberger@random.com.crt -infiles usteinberger@random.com.csr
then i enter the passphrase password
After creating the key, I copied the usteinberger@random.com.key from the private folder and set it for my openvpn which worked.
What's a better way, because i have a feeling this is a wrong procedure of copying keys. Also copying the private key in this way doesn't sound good to me (is there a way to use a public key instead and not the private key that is stored in the private folder?
or what best secure suggestion may you recommend for me to use?
my client setting is as follows also if you wish to take a look at that:
client
dev tap
proto udp
remote aurora.random.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca root@random.com.crt
cert usteinberger@random.com.crt
key usteinberger@random.com.key (2 certificate files and 1 key that i have on my side as well)
comp-lzo
verb 3
when i also check what's written at the top of my key which i created (usteinberger@random.com.key) it just says
-----BEGIN PRIVATE KEY-----
some long password here......
-----END PRIVATE KEY-----
I wish to make it encrypted private key, as i believe that is what it should be to make it more secure possible.
Is it also possible to update these security certificates as if they are about to expire, and how do I do that?
Best regards,
Uri
That worked, thanks so much for your help, highly appreciated this!!!!!!!!!
another question i have, as I'm not so sure on how i create this certificates in the best secure possible way;
I create them in the following procedure as I mentioned earlier:
1) openssl req -config openssl.cnf -new -nodes -keyout random.com/private/usteinberger@random.com.key -out usteinberger@random.com.csr -days 365
2) 2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/usteinberger@random.com.crt -infiles usteinberger@random.com.csr
then i enter the passphrase password
After creating the key, I copied the usteinberger@random.com.key from the private folder and set it for my openvpn which worked.
What's a better way, because i have a feeling this is a wrong procedure of copying keys. Also copying the private key in this way doesn't sound good to me (is there a way to use a public key instead and not the private key that is stored in the private folder?
or what best secure suggestion may you recommend for me to use?
my client setting is as follows also if you wish to take a look at that:
client
dev tap
proto udp
remote aurora.random.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca root@random.com.crt
cert usteinberger@random.com.crt
key usteinberger@random.com.key (2 certificate files and 1 key that i have on my side as well)
comp-lzo
verb 3
when i also check what's written at the top of my key which i created (usteinberger@random.com.key) it just says
-----BEGIN PRIVATE KEY-----
some long password here......
-----END PRIVATE KEY-----
I wish to make it encrypted private key, as i believe that is what it should be to make it more secure possible.
Is it also possible to update these security certificates as if they are about to expire, and how do I do that?
Best regards,
Uri
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: creating and revoking certificates for clients
glad to hear it is now working...
your questions are more about setting up a Private Key Infrastructure (PKI) than about OpenVPN (but relevant nethertheless).
When setting up a PKI it is very important to think about distributing the private keys. The "usual" method is to use a separate secure channel to copy private keys to the clients (e.g. 'scp') or to generate the private keys on the client themselves. This depends a bit on your setup. The private key passphrase causes the key to be encrypted (you need to the passphrase in order to decrypt it), so that should be safe as long as the passphrase is long enough. However, you still need to think about the distribution of the private keys.
As for checking for (nearly) expired certs: that is something that can be done on the CA machine: it can check for expired certs and warn the user ; the CA can download a new certificate (based on the old private key) , which the user would need to download and install. Again, there are ways to automate this, but they all depend on your setup: OpenVPN does not supply this for you.
your questions are more about setting up a Private Key Infrastructure (PKI) than about OpenVPN (but relevant nethertheless).
When setting up a PKI it is very important to think about distributing the private keys. The "usual" method is to use a separate secure channel to copy private keys to the clients (e.g. 'scp') or to generate the private keys on the client themselves. This depends a bit on your setup. The private key passphrase causes the key to be encrypted (you need to the passphrase in order to decrypt it), so that should be safe as long as the passphrase is long enough. However, you still need to think about the distribution of the private keys.
As for checking for (nearly) expired certs: that is something that can be done on the CA machine: it can check for expired certs and warn the user ; the CA can download a new certificate (based on the old private key) , which the user would need to download and install. Again, there are ways to automate this, but they all depend on your setup: OpenVPN does not supply this for you.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Aug 12, 2024 9:29 pm
Re: creating and revoking certificates for clients
Is it possible to revoke a user based only on its CN value inside the certificate?