1

I've got myself into a pretty messy situation:

  1. I generated a clients self-signed certificate on server A, with server A being the CA.
  2. I then copied the self-signed certificate (.crt, .key) to server B, which is also a CA by itself.
  3. I started using this self-signed certificate on server B and it worked, so I didn't think too much afterward.

Now, I need to revoke this self-signed certificate, however I cannot do it on server B (it complaints about "name does not match"). I've managed to revoke it on server A which signed it, but how can I let server B know that this certificate has indeed been revoked?

I tried to copy the revoked cert over to server B but it doesn't really work...

Platform:

  • server A: Ubuntu server 10.10, openssl version 0.9.8o
  • server B: CentOS 4.4, openssl version 0.9.7a

If there's anything else I can provide please let me know.

Hope my explanation makes sense, if not, please leave me a msg. Any help would be very much appreciated!

Kenny Rasschaert
  • 8,925
  • 3
  • 41
  • 58
tw79
  • 31
  • 1
  • 4

1 Answers1

2

You must have copied the server and client certificates from A to B if the same client certs still work when authenticating to B. Is this not the case? If you only moved the client certs, and not the server cert, but you can still authenticate to B with client certs from A, then you must have the same CA on A and B.

You don't need to copy the revoked cert to B, you just need to add the cert to B's revocation list. Normally, as long as the server and client certs are signed by the same CA, authentication will proceed. Revocation works by adding entries to a text file. When you authenticate with a cert, OpenVPN will check your Certificate Revocation List (CRL) to see if the cert has been revoked. You're not making any changes to the actual cert.

Michael
  • 468
  • 2
  • 13
  • Thanks very much Cocabean! Yeah after a few hours searching/playing with it I figured the trick is on the CRL. However I'm pretty sure server A and B use different CA, and yet for some reason client cert signed by server A works on server B.... I'll try to add client cert to the CRL on server B now, see if it works! – tw79 May 24 '11 at 04:41
  • Sorry Cocoabean under the easy-rsa/keys/ directory where i store my keys, can you point to me where I can add my revoked cert entry to? i'm feeling it should be index.txt but after adding it, "openssl crl -text -noout -in ca.crt" still shows no revoked certs???? thanks very much! – tw79 May 24 '11 at 05:03
  • OK - I copied the corresponding entry from server A's index.txt to server B's index.txt, then i generated a new CRL: newcrl.pem. After that, running "openssl crl -text -noout -in newcrl.pem" shows that entry 13 is revoked, but somehow I'm still able to OpenVPN in using the revoked cert! i'm lost...... – tw79 May 24 '11 at 05:24
  • Your best bet would probably be to just either recopy everything from server A to server B as server A currently is. Otherwise, just run the `clean-all` script and start from scratch on box B. The whole process is a few scripts. You could even copy just the CA over from server A and give B a unique cert using the same CA. http://openvpn.net/index.php/open-source/documentation/howto.html#pki – Michael May 24 '11 at 06:51
  • Thanks I think I'll wipe everything and start clean again. THanks for the help! – tw79 May 25 '11 at 04:09