Rebuild Index.txt

[maartendq]

Hi,

Our index.txt database got screwed and I had to revert to an old index.txt (With several new clients not added yet). I still have all the certificates, csr's and keys of all clients that are not yet written in the index.txt. Is there a way to add signed certificates to the index.txt or rebuild the index.txt? Is that index.txt file only used when using the crl-verify option?

[maartendq]

Additional question:
Can someone explain the second column in index.txt (with values like 180301135738Z)?

[janjust]

the second column is the certificate expiration date in ASN1_TIME format. The entry '180301135738Z' means the certificate enddate is
2018, March 01 13:57:38 GMT

someone else asked the same question on the openvpn-users mailing list; I've written a little script which attempts to recreate the index.txt file. Works for several index.txt files that I could find. YMMV.

Code: Select all

#!/bin/bash

if [ $# -eq 0 ]
then
  echo "Usage: $0 *.pem"
  exit 1
fi

for cert
do

  enddate=`openssl x509 -enddate -noout -in $cert | sed 's/notAfter=//' | awk '\
    { year=$4-2000;
      months="JanFebMarAprMayJunJulAugSepOctNovDec" ; 
      month=1+index(months, $1)/3 ; 
      day=$2; 
      hour=substr($3,1,2) ; 
      minutes=substr($3,4,2); 
      seconds=substr($3,7,2); 
      printf "%02d%02d%02d%02d%02d%02dZ", year, month, day, hour, minutes, seconds}'`

  serial=`openssl x509 -serial -noout -in $cert  |sed 's/serial=//'`
  subject=`openssl x509 -subject -noout -in $cert  |sed 's/subject= //'`

  echo "V       $enddate                $serial unknown $subject"
done

[maartendq]

Cheers for the script, I will test it today!

[maartendq]

Creating the new index worked well, only problem is that you will have to change all white spaces in the index.txt by tabs, else it will give you errors when creating new certificates or revoking certs.

[janjust]

hehe my script contains tabs, put the forum website ignores them

[p0o0uya]

the second column is the certificate expiration date in ASN1_TIME format. The entry '180301135738Z' means the certificate enddate is
2018, March 01 13:57:38 GMT

Well very good to know that the second column gives information about expiration time of a certificate. But can we replace it by our own desired date to force a client expire sooner than the time in their certificate? I am thinking is that possible to create a certificate which is valid for 365 days and make it expire after 30 days which is possible to extend for another 30 days?