Is it possible to disable a key temporarily rather than revoke.
For example, I might want to disable a key for 24 hours until I can verify something, then enable it again?
I understand revoking is only needed for compromised keys?
I found the following command
Disable a particular client
(based on the common name) from connecting.
Would I use the certificate name in this instance? So key/cert is called mycert.crt so I disable access for mycert client?
Also, how can I restrict a certificate to be used by 1 IP address only? For example, a client might send out the certificate to his friends to use.
you would use the /CN= name from the certificate. You can retrieve this
openssl x509 -subject -noout -in mycert.crt
This is also the name as it appears in the server log file, e.g.
IP:2318 [rivendel] Peer Connection Initiated with IP:2318
in this case the certificate name is 'rivendel' even though the client
cert is named client.crt
you'd have to use a
script to check that a particular certificate can be used only at a
particular IP address. Normally a client cert is allowed to log in only
once, but there are no default checks where the login comes from.
If the default is to only allow the cerificate to connect 1 at a time then that should be ok.
With the disabling, do I have to use openssl to disable a certificate and do I need to create a disabled file to hold the CN names of disabled certificates.
I generally wouldn't revoke a certificate until a number of days after the client had confirmed they no longer needed it. I'm trying to avoid the scenario where I have to send out a new certificate for the same user.
if you create a 'ccd' file for the client cert containing the line
then that client certificate can no longer log in. Remove the 'ccd' file
and the client can log back in.
Right, just make sure that "duplicate-cn" is commented out in your
To revoke, yes.
A certificate revocation list, or CRL, yes.
It's no problem to recreate one with the same common name, unless you
are referring to the difficulty of secure distribution? Reissue
requires no change to server or client configuration =96 apart from
installing the new .cert file. CRL does not change because the re-
created certificate has a different serial number. The client's
private key is also unchanged.
This document has served me well for years: http://www.debian-administration.org/articles/284
How would I get the server to check the ccd file?
Use the --client-config-dir /path/to/directory on the server config then give the following options for the client in the /path/to/client/cn-of-client.
So, in the server we have
then in the disable.txtx file we use
--disable Disable a particular client
(based on the common name) from connecting. Don't use this option to
disable a client due to key or password compromise. Use a CRL
(certificate revocation list) instead (see the --crl-verify
This option must be associated with a specific client instance, which
means that it must be specified either in a client instance config file
using --client-config-dir or dynamically generated
using a --client-connect script.
Specify a directory dir for custom client
config files. After a connecting client has been authenticated,
OpenVPN will look in this directory for a file having the same
name as the client's X509 common name. If a matching file
exists, it will be opened and parsed for client-specific
configuration options. If no matching file is found, OpenVPN
will instead try to open and parse a default file called
"DEFAULT", which may be provided but is not required.
I create a new directory called clientconfigfiles.
server.conf will have a line added:
then in that folder I place a file for each cert. So, if I have 2 certs called mycert.crt and testcert.crt the 2 files should be called
no .rt on the end?
then in each of those files, I place a line:
My server.conf says this :
In other words: you don't need the --client-config-dir, you can simply
use the server.conf, which has ccd set by default.
Also, this means that the files do not go into ./easy-rsa/2.0 but to ./ccd
What I noticed as well is that the comments don't mention
--ifconfig-push but ifconfig-push (no --) so I assume that there's no
need for the --.
Please do know that I have never used the ccd before and that I am only
basing this on the documentation.
follow this recipe:
add a line
to the server conf; create this directory and make sure it is readable
to the user running openvpn
mkdir -p /etc/openvpn/ccd
chmod 755 /etc/openvpn/ccd
inside this directory, create a file with *only* the common name of the
certificate. To determine the common name, type
openssl x509 -subject -nooout -in <path-to-certs>/mycert.crt
The output will contain a part
Now create the file with the disable parameter:
echo disable > [common name]
where you replace [common name] with the /CN=... part (convert spaces to
No .crt on the end of the file, nothing , zip , nada
The server's ccd file should be named according to the client
certificate common name. The certificate *file* name is not relevant.