LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-20-2014, 03:14 PM   #1
ziphem
Member
 
Registered: Feb 2004
Location: US / EU
Distribution: Fedora 20
Posts: 176

Rep: Reputation: 19
Revoking vs. deleting OpenVPN certificate; & should I also delete the CA cert + key?


I recently revoked my client.crt. I had a heck of a time actually stopping my client machine from connecting to the OpenVPN server, though - it took me hours to finally realize that I could continue to connect because server.conf did not have the appropriate line referencing crl.pem. I'm putting that line below in case others have overlooked this, particularly considering it doesn't seem to be addressed in many of the step-by-step guides that I have seen. Hopefully this helps those, who don't know why they can still connect to their OpenVPN even though they've revoked their certs, to eliminate this as being a possible source of the problem.

So, in /etc/openvpn/server.conf, I inserted the line:

Code:
crl-verify /etc/openvpn/crl.pem

I have two questions. First, now that I have revoked the client.crt, what else should I purge? Should I delete the CA.crt and CA.key (just an rm)?

My second question is why I should revoke the certificate and not simply delete it. What's the benefit? Maybe I don't understand how OpenVPN authenticates or retains the certificates.

Thanks for any feedback or advice!

Last edited by ziphem; 04-21-2014 at 07:37 PM. Reason: Spelling mistakes and a non-sensical phrase or two.
 
Old 04-21-2014, 10:05 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170Reputation: 3170
This is excellent information which you should, please, forward to some of those sites that host those tutorials that you speak of. Encourage them to revise their content.

I believe that the idea behind "revoking" a key is that it declares that this particular key should no longer be accepted in a web-of-trust. I'm also not 100% sure how this applies in the case of VPN and therefore I will be actively following the other replies in this thread.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
am_pkcs11 Couldn't verify Cert: Peer's Certificate issuer is not recognized. redhawk1973 Linux - Security 2 11-01-2017 09:30 AM
[error] Certificate not found: 'Server-Cert' (but it is there) MikeyCarter Linux - Software 2 10-25-2012 06:03 PM
Revoking GPG key with only passphrase and public key djib Linux - Security 2 03-13-2007 04:20 AM
Giving write permissions/revoking deleting ability Harlin Linux - Security 2 10-30-2006 08:20 AM
Backspace & delete key issues stefaandk Linux - Newbie 3 07-29-2005 02:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration