Revoking certificates

A common task when managing a PKI is to revoke certificates that are no longer needed or that have been compromised. This recipe demonstrates how certificates can be revoked using the easy-rsa script and how OpenVPN can be configured to make use of a Certificate Revocation List (CRL).

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux, but it can easily be run on Windows or Mac OS.

How to do it...

First, we generate a certificate:

$ cd /etc/openvpn/cookbook
$ . ./vars
$ ./build-key client4
[...]

Then, we immediately revoke it:

$ ./revoke-full client4
Using configuration from /etc/openvpn/cookbook/openssl- ...

Get OpenVPN Cookbook - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

OpenVPN Cookbook - Second Edition by Jan Just Keijser

Revoking certificates

Getting ready

How to do it...

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly