Revoking certificates
A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked using the easy-rsa script and how OpenVPN can be configured to make use of a Certificate Revocation List (CRL).
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2. This recipe was performed on a computer running CentOS 5 Linux, but it can easily be run on Windows or Mac OS.
How to do it...
First, we generate a certificate:
$ cd /etc/openvpn/cookbook $ . ./vars $ ./build-key client4 […]
Then, we immediately revoke it:
$ ./revoke-full client4 Using configuration from /etc/openvpn/cookbook/openssl.cnf Revoking Certificate 08. Data Base Updated Using configuration from /etc/openvpn/cookbook/openssl.cnf client4.crt: /C=NL/O=Cookbook/CN=client4/emailAddress=[...] error 23 at 0 depth lookup:certificate revokedThis will also update the CRL list. The CRL can be viewed...
