Is it possible to disable a key temporarily rather than revoke.
For example, I might want to disable a key for 24 hours until I can verify something, then enable it again?
I understand revoking is only needed for compromised keys?

I found the following command
--disable
Disable a particular client
(based on the common name) from connecting.
Would I use the certificate name in this instance? So key/cert is called mycert.crt so I disable access for mycert client?

Also, how can I restrict a certificate to be used by 1 IP address only? For example, a client might send out the certificate to his friends to use.

you would use the /CN= name from the certificate. You can retrieve this
using
  openssl x509 -subject -noout -in mycert.crt
This is also the name as it appears in the server log file, e.g.
  IP:2318 [rivendel] Peer Connection Initiated with IP:2318

in this case the certificate name is 'rivendel' even though the client
cert is named client.crt

you'd have to use a
  tls-verify <script>
script to check that a particular certificate can be used only at a
particular IP address. Normally a client cert is allowed to log in only
once, but there are no default checks where the login comes from.

HTH,

JJK

If the default is to only allow the cerificate to connect 1 at a time then that should be ok.

With the disabling, do I have to use openssl to disable a certificate and do I need to create a disabled file to hold the CN names of disabled certificates.
I generally wouldn't revoke a certificate until a number of days after the client had confirmed they no longer needed it. I'm trying to avoid the scenario where I have to send out a new certificate for the same user.

----------------------------------------

http://clk.atdmt.com/UKM/go/195013117/direct/01/

if you create a 'ccd' file for the client cert containing the line
  disable
then that client certificate can no longer log in. Remove the 'ccd' file
and the client can log back in.

HTH,

JJK

Right, just make sure that "duplicate-cn" is commented out in your
server configuration.

To revoke, yes.

A certificate revocation list, or CRL, yes.

It's no problem to recreate one with the same common name, unless you
are referring to the difficulty of secure distribution? Reissue
requires no change to server or client configuration =96 apart from
installing the new .cert file. CRL does not change because the re-
created certificate has a different serial number. The client's
private key is also unchanged.

This document has served me well for years: http://www.debian-administration.org/articles/284

--Toby

Thanks
How would I get the server to check the ccd file?

----------------------------------------

You don't.
Use the --client-config-dir /path/to/directory on the server config then give the following options for the client in the /path/to/client/cn-of-client.

mark

So, in the server we have

--client-config-dir /etc/openvpn/easy-rsa/2.0/keys/disablelist.txt

then in the disable.txtx file we use
--disable mycert.crt
--disable testcert.crt
--disable randomcert.crt

?

--disable Disable a particular client
(based on the common name) from connecting. Don't use this option to
disable a client due to key or password compromise. Use a CRL
(certificate revocation list) instead (see the --crl-verify
option).
This option must be associated with a specific client instance, which
means that it must be specified either in a client instance config file
using --client-config-dir or dynamically generated
using a --client-connect script.

----------------------------------------

Right...so:
--client-config-dir dir
      Specify a directory dir for custom client
        config files. After a connecting client has been authenticated,
        OpenVPN will look in this directory for a file having the same
        name as the client's X509 common name. If a matching file
        exists, it will be opened and parsed for client-specific
        configuration options. If no matching file is found, OpenVPN
        will instead try to open and parse a default file called
        "DEFAULT", which may be provided but is not required.
        
I create a new directory called clientconfigfiles.
server.conf will have a line added:
--client-config-dir /etc/openvpn/easy-rsa/2.0/clientconfigfiles

then in that folder I place a file for each cert. So, if I have 2 certs called mycert.crt and testcert.crt the 2 files should be called
mycert
testcert

no .rt on the end?

then in each of those files, I place a line:
--disable

?

My server.conf says this :
In other words: you don't need the --client-config-dir, you can simply
use the server.conf, which has ccd set by default.
Also, this means that the files do not go into ./easy-rsa/2.0 but to ./ccd

What I noticed as well is that the comments don't mention
--ifconfig-push but ifconfig-push (no --) so I assume that there's no
need for the --.

Please do know that I have never used the ccd before and that I am only
basing this on the documentation.

Tom

follow this recipe:

add a line
  client-config-dir /etc/openvpn/ccd
to the server conf; create this directory and make sure it is readable
to the user running openvpn
  mkdir -p /etc/openvpn/ccd
  chmod 755 /etc/openvpn/ccd
inside this directory, create a file with *only* the common name of the
certificate. To determine the common name, type
  openssl x509 -subject -nooout -in <path-to-certs>/mycert.crt
The output will contain a part
  /CN=[common name]
Now create the file with the disable parameter:
  echo disable > [common name]
where you replace [common name] with the /CN=... part (convert spaces to
underscores).

No .crt on the end of the file, nothing , zip , nada

HTH,

JJK

The server's ccd file should be named according to the client  
certificate common name. The certificate *file* name is not relevant.

--Toby