4

I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp so it was updated indeed. The problem started after 1 month that all users were blocked as I had in server.conf line added to verify-crl and path to crl.pem

#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

So my question is, if I used easy-rsa 2.x script revoke-full and I can see that index has marked this specific certificate to be revoked. If I also found that time stamp of /keys/crl.pem is current time stamp, and after I restarted openvpn service (for the good measure), how come that it is still getting blocked.

Sure I can remove verify-crl, but that is not the point.

Certificate Revocation List (CRL):
        Version 1 (0x0)
    Signature Algorithm: XXXXXXXXXXXXXXXX
        Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
        Last Update: May  1 07:10:34 2019 GMT
        Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
    Serial Number: 0B
        Revocation Date: Mar 29 19:37:51 2019 GMT

I can see that next update is scheduled for 31.May, so I would like to know step by step procedure how to revoke certificate, perhaps I missed something.

dovla110010101
  • 162
  • 1
  • 2
  • 10

1 Answers1

5

The problem started after 1 month that all users were blocked

I ran into this same problem. I found that openVPN+easy-rsa, by default, only generates a CRL valid for 30 days, and when that CRL expires then openVPN will not allow any connections.

Since I don't revoke certificates that often, I simply (1) created a script to re-generate the CRL, and (2) changed the CRL expiration time to 6 months.

Here's my regen-crl script, which is run in /etc/openvpn/easy-rsa --- notice the option -crldays 180:

#!/bin/sh
CRL="crl.pem"
if [ "$KEY_DIR" ]; then
    cd "$KEY_DIR"
    rm -f "$RT"

    # set defaults
    export KEY_CN=""
    export KEY_OU=""
    export KEY_NAME=""

    # required due to hack in openssl.cnf that supports Subject Alternative Names
    export KEY_ALTNAMES=""

    # generate a new CRL -- try to be compatible with
    # intermediate PKIs
    $OPENSSL ca -crldays 180 -gencrl -out "$CRL" -config "$KEY_CONFIG"
    $OPENSSL crl -text -in "$CRL"
else
    echo 'Please source the vars script first (i.e. "source ./vars")'
    echo 'Make sure you have edited it to reflect your configuration.'
fi

I also had to modify /etc/openvpn/easy-rsa/openssl.cnf to match by changing this line in the [CA_default] section:

default_crl_days= 180                   # how long before next CRL
simpleuser
  • 276
  • 4
  • 13
  • Is 180 days too much or can I use a higher value with no risks? I'm not clear with the implications. – Kar.ma Apr 07 '20 at 08:07