Page 1 of 1
Rebuild Index.txt
Posted: Tue Mar 06, 2012 7:27 am
by maartendq
Hi,
Our index.txt database got screwed and I had to revert to an old index.txt (With several new clients not added yet). I still have all the certificates, csr's and keys of all clients that are not yet written in the index.txt. Is there a way to add signed certificates to the index.txt or rebuild the index.txt? Is that index.txt file only used when using the crl-verify option?
Re: Rebuild Index.txt
Posted: Tue Mar 06, 2012 3:50 pm
by maartendq
Additional question:
Can someone explain the second column in index.txt (with values like 180301135738Z)?
Re: Rebuild Index.txt
Posted: Tue Mar 06, 2012 4:01 pm
by janjust
the second column is the certificate expiration date in ASN1_TIME format. The entry '180301135738Z' means the certificate enddate is
2018, March 01 13:57:38 GMT
someone else asked the same question on the openvpn-users mailing list; I've written a little script which attempts to recreate the index.txt file. Works for several index.txt files that I could find. YMMV.
Code: Select all
#!/bin/bash
if [ $# -eq 0 ]
then
echo "Usage: $0 *.pem"
exit 1
fi
for cert
do
enddate=`openssl x509 -enddate -noout -in $cert | sed 's/notAfter=//' | awk '\
{ year=$4-2000;
months="JanFebMarAprMayJunJulAugSepOctNovDec" ;
month=1+index(months, $1)/3 ;
day=$2;
hour=substr($3,1,2) ;
minutes=substr($3,4,2);
seconds=substr($3,7,2);
printf "%02d%02d%02d%02d%02d%02dZ", year, month, day, hour, minutes, seconds}'`
serial=`openssl x509 -serial -noout -in $cert |sed 's/serial=//'`
subject=`openssl x509 -subject -noout -in $cert |sed 's/subject= //'`
echo "V $enddate $serial unknown $subject"
done
Re: Rebuild Index.txt
Posted: Wed Mar 07, 2012 2:34 pm
by maartendq
Cheers for the script, I will test it today!
Re: Rebuild Index.txt
Posted: Mon Mar 12, 2012 2:14 pm
by maartendq
Creating the new index worked well, only problem is that you will have to change all white spaces in the index.txt by tabs, else it will give you errors when creating new certificates or revoking certs.
Re: Rebuild Index.txt
Posted: Mon Mar 12, 2012 4:12 pm
by janjust
hehe my script contains tabs, put the forum website ignores them
Re: Rebuild Index.txt
Posted: Wed Feb 01, 2023 1:38 pm
by p0o0uya
janjust wrote: ↑Tue Mar 06, 2012 4:01 pm
the second column is the certificate expiration date in ASN1_TIME format. The entry '180301135738Z' means the certificate enddate is
2018, March 01 13:57:38 GMT
Well very good to know that the second column gives information about expiration time of a certificate. But can we replace it by our own desired date to force a client expire sooner than the time in their certificate? I am thinking is that possible to create a certificate which is valid for 365 days and make it expire after 30 days which is possible to extend for another 30 days?