View contents of a certificate file:
# openssl x509 -noout -text -in certificate-file.crt
Generate new CA file from expired file (This is not a good practice!!!):
# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key
Verify crt file agains CA:
# openssl verify newserver.crt -CAFile ca.crt
Revoking certificate:
# . ./vars
# ./revoke-full name_of_cert_file
Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/
Checking contents of crl.pem file:
openssl crl -text -noout -in /etc/openvpn/crl.pemRegenerate expired CRL file
# openssl ca -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf
you also need to do this in openssl.cnf if you want to change default expire days (1 month)
default_crl_days= 3650 # how long before next CRL
No comments:
Post a Comment