Thursday, January 12, 2017

OpenVPN renew expired CA, revoke certificate and other notes

OpenVPN and OpenSSL notes

View contents of a certificate file:

# openssl x509 -noout -text -in certificate-file.crt

Generate new CA file from expired file (This is not a good practice!!!):

# openssl x509 -in ca.crt -days 4650 -out ca_new.crt -signkey ca.key

Verify crt file agains CA:

# openssl verify newserver.crt -CAFile ca.crt

Revoking certificate:

# . ./vars
# ./revoke-full name_of_cert_file

Result is in "keys/crl.pem". You need to copy it in /etc/openvpn/

Checking contents of crl.pem file:

openssl crl -text -noout -in /etc/openvpn/crl.pem
Regenerate expired CRL file

# openssl ca  -gencrl -keyfile ca.key -cert ca.crt -out new-crl.pem -config ./openssl.cnf

you also need to do this in openssl.cnf if you want to change default expire days (1 month)

default_crl_days= 3650         # how long before next CRL