Otdfbt

Why are solar panels kept tilted?

Biology of a Firestarter

Can a tourist shoot a gun for recreational purpose in the USA?

Motorola 6845 and bitwise graphics

Extract the characters before last colon

Why doesn't Iron Man's action affect this person in Endgame?

Why do the lights go out when someone enters the dining room on this ship?

Is there any way to adjust the damage type of Eldritch Blast to fire?

Spark Double copying my planeswalker - do I have to sacrifice?

How can we allow remote players to effectively interact with a physical tabletop battle-map?

Why weren't the bells paid heed to in S8E5?

Could there be a material that inverts the colours seen through it?

How to cope with regret and shame about not fully utilizing opportunities during PhD?

Can you pick an advanced rogue talent with the extra rogue talent feat?

Segmentation fault when popping x86 stack

What information exactly does an instruction cache store?

A case where Bishop for knight isn't a good trade

Were any toxic metals used in the International Space Station?

Do Grothendieck universes matter for an algebraic geometer?

Meaning of "work with shame"

As programmers say: Strive to be lazy

Is SSH secure against MiTM if server fingerprint is not checked, public key authentication is used and confidentiality is not needed for that service?

is it correct to say "When it started to rain, I was in the open air."

Do not cross the line!

OpenVPN revoke user - CRL verify issues

OpenVPN OpenSSL entry 22: invalid expiry dateOpenvpn intermediate CA CRL QuestionOpenVPN certificate removal and connecting with no certificate file on serveropenvpn - only one client key/certificate pair workingHow do I check if my SSL certificates have been revokedOpenVPN ssl VERIFY ERROR: depth=0, error=certificate signature failure in TI am335x-evm platformAssociate a specific certificate to a specific local user with OpenVPNOpenVPN on pfSense: CRL verify fails with PKI depth 2I want give openvpn crl-verify use a custom directoryOpenVPN service, run as root:root instead of nobody:nogroup?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp so it was updated indeed.
The problem started after 1 month that all users were blocked as I had in server.conf line added to verify-crl and path to crl.pem

#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

So my question is, if I used easy-rsa 2.x script revoke-full and I can see that index has marked this specific certificate to be revoked. If I also found that time stamp of /keys/crl.pem is current time stamp, and after I restarted openvpn service (for the good measure), how come that it is still getting blocked.

Sure I can remove verify-crl, but that is not the point.

Certificate Revocation List (CRL):
 Version 1 (0x0)
 Signature Algorithm: XXXXXXXXXXXXXXXX
 Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
 Last Update: May 1 07:10:34 2019 GMT
 Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
 Serial Number: 0B
 Revocation Date: Mar 29 19:37:51 2019 GMT

I can see that next update is scheduled for 31.May, so I would like to know step by step procedure how to revoke certificate, perhaps I missed something.

linux openvpn centos7 crl

share|improve this question

asked May 3 at 10:36

dovla091dovla091

11316

add a comment | 

0

I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp so it was updated indeed.
The problem started after 1 month that all users were blocked as I had in server.conf line added to verify-crl and path to crl.pem

#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

So my question is, if I used easy-rsa 2.x script revoke-full and I can see that index has marked this specific certificate to be revoked. If I also found that time stamp of /keys/crl.pem is current time stamp, and after I restarted openvpn service (for the good measure), how come that it is still getting blocked.

Sure I can remove verify-crl, but that is not the point.

Certificate Revocation List (CRL):
 Version 1 (0x0)
 Signature Algorithm: XXXXXXXXXXXXXXXX
 Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
 Last Update: May 1 07:10:34 2019 GMT
 Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
 Serial Number: 0B
 Revocation Date: Mar 29 19:37:51 2019 GMT

I can see that next update is scheduled for 31.May, so I would like to know step by step procedure how to revoke certificate, perhaps I missed something.

linux openvpn centos7 crl

share|improve this question

asked May 3 at 10:36

dovla091dovla091

11316

add a comment | 

I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp so it was updated indeed.
The problem started after 1 month that all users were blocked as I had in server.conf line added to verify-crl and path to crl.pem

#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

So my question is, if I used easy-rsa 2.x script revoke-full and I can see that index has marked this specific certificate to be revoked. If I also found that time stamp of /keys/crl.pem is current time stamp, and after I restarted openvpn service (for the good measure), how come that it is still getting blocked.

Sure I can remove verify-crl, but that is not the point.

Certificate Revocation List (CRL):
 Version 1 (0x0)
 Signature Algorithm: XXXXXXXXXXXXXXXX
 Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
 Last Update: May 1 07:10:34 2019 GMT
 Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
 Serial Number: 0B
 Revocation Date: Mar 29 19:37:51 2019 GMT

I can see that next update is scheduled for 31.May, so I would like to know step by step procedure how to revoke certificate, perhaps I missed something.

linux openvpn centos7 crl

share|improve this question

asked May 3 at 10:36

dovla091dovla091

11316

#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

Certificate Revocation List (CRL):
 Version 1 (0x0)
 Signature Algorithm: XXXXXXXXXXXXXXXX
 Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
 Last Update: May 1 07:10:34 2019 GMT
 Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
 Serial Number: 0B
 Revocation Date: Mar 29 19:37:51 2019 GMT

share|improve this question

asked May 3 at 10:36

dovla091dovla091

11316

share|improve this question

asked May 3 at 10:36

dovla091dovla091

11316

asked May 3 at 10:36

dovla091dovla091

11316

asked May 3 at 10:36

dovla091dovla091

11316