Revoking a client key for Openvpn server

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
jason_a69
DD-WRT Novice


Joined: 02 Aug 2017
Posts: 9

PostPosted: Wed Aug 02, 2017 10:22    Post subject: Revoking a client key for Openvpn server Reply with quote
I am here to offer advice as I have spent a day trying to get this going, so I thought I would post a solution

Assumptions
OS - Linux
easy-rsa version : 2.2.2-2

Let's assume you have set up and correctly configured an openvpn server in DD-WRT and it works but you have created 1 or more keys that you want to revoke. There is a script called revoke-full <client> in your easy-rsa directory that is meant to do such a thing, well I could not get it going so I did this.

Go to your easy-rsa directory you created with the make-cadir command

Code:
cd easy-rsa


Set up the required environment

Code:
sudo su

Code:
. ./vars


Now you need to edit openssl-1.0.0.cnf and comment out line 145 so it looks like this
#commonName_default = $ENV::KEY_CN

Now go to your keys directory and use more to check your index.txt file (don't hose this file up, take a copy if you are not sure)

Code:
cd keys

Code:
more index.txt


You need to match the client number you want to revoke with the client number in this file. The clients have an entry "CN=<client you want to revoke>", work back from that column to its 2 digit number, for example 02, 03 etc. Now you need to revoke that number which will change the index.txt file and put a status of "R at the first column as well a revoke date.

Run this command, where 02 is your number
Code:
openssl ca -revoke 02.pem -config "$KEY_CONFIG"


Now we need to generate a crl.pem file that we tell Openvpn about so that is that client is used again, it will be refused, so run this command
Code:
openssl ca -gencrl -out crl.pem -config "$KEY_CONFIG"

You now need to copy the contents of crl.pem into the "Certificate revoke list" box for the openvpn server setup.
This line also need to exist in the additional config box on the same page
Code:
crl-verify /tmp/openvpn/ca.crl

Don't forget to reboot your router if you make changes.

After you done your changes in the easy-rsa directory, don't forget to restore openssl-1.0.0.cnf to its former glory so that line 145 so it looks like this
commonName_default = $ENV::KEY_CN

Before you make changes to your router, you can check your crl.pem file
Code:
cd ..

Code:
./list-crl


After you have rebooted your router, don't forget to test to make sure your keys do or do not work.

I hope this helps someone.

Jason
Sponsor
Xeon2k8
DD-WRT Guru


Joined: 11 Feb 2016
Posts: 1288

PostPosted: Sat Aug 12, 2017 20:48    Post subject: Reply with quote
I have created 2 certificates just to test if this command was working and it is, correctly. Using revoke-full <common-name> it creates the crl.pem file, just pasting that into the UI without any additional flag on the config works like a charm. If you need to revoke an extra certificate just run the command again and re-paste the content of the crl.pem file into UI. Take into account as you may noticed that this is cumulative, meaning that old revoked certificates are still on the file.
_________________
R6400v2 (boardID:30) - Kong 36480 running since 03/09/18 - (AP - DNSMasq - AdBlocking - QoS)
R7800 - BS 31924 running since 05/26/17 - (AP - OpenVPN Client - DNSMasq - AdBlocking - QoS)
R7000 - BS 30771 running since 12/16/16 - (AP - NAS - FTP - SMB - OpenVPN Server - Transmission - DDNS - DNSMasq - AdBlocking - QoS)
R6250 - BS 29193 running since 03/20/16 - (AP - NAS - FTP - SMB - DNSMasq - AdBlocking)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum