Checking expired/revoked certificates
The goal of this recipe is to give an insight into some of the internals of the OpenSSL CA commands. We will show how a certificate's status is changed from "Valid" to "Revoked", or "Expired".
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2. This recipe was performed on a computer running CentOS 5 Linux but it can easily be run on Windows or Mac OS.
How to do it...
Before we can use plain
opensslcommands, there are a few environment variables that need to be set. These variables are not set in thevarsfile by default:$ cd /etc/openvpn/cookbook $ . ./vars $ export KEY_CN=dummy $ export KEY_OU=dummy $ export KEY_NAME=dummy $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl.cnf
Now, we can query the status of a certificate using its serial number:
$ cd keys $ openssl x509 -serial -noout -in openvpnserver.crt serial=01 openssl ca -status 01 Using configuration from /etc/openvpn/cookbook/openssl.cnf 01=Valid ...
