Hi,
If anyone can help me understand how this works, as I got some understanding but it's kinda scattered, I need to know if I'm on the right track, and also if you could give me a solution I would be grateful.
1) I created a key as the following: while i was on directory /etc/ssl directory of the server:
I input: openssl req -config openssl.cnf -new -nodes -keyout random.com/private/cert@random.com.key -out cert@random.com.csr -days 365 (I could make it valid for more time, but it's better this way)
2) next i signed the certificate using the following command:openssl ca -config openssl.cnf -policy policy_anything -out random.com/certs/cert@random.com.crt -infiles cert@random.com.csr
In response it asked me for the password: (Enter pass phrase for ./random.com/private/root@random.com.key:
which i typed the password, and it asked me and finish signing my key.
3) After this I can delete the csr as it's the just the file that is used to sign the certificate to create the crt file which is the initial signed certificate.
I also checked to the see if it generated a line in the index.txt, and saw that it generated a line for my certificate which is good:
V 242202030224Z B3D77C0422463K39 unknown /C=Country/ST=State/L=City/O=Random Company Ltd/OU=random.com/CN=CN/emailAddress=user@example.com
which B3D77C0422463K39.pem is created as well in the newcerts.
After creating the key, I copied the cert@random.com.key from the private folder and set it for my openvpn which worked.
Problem is that I wish to cancel this to check the security that it will not grant me access after deleting the certificate.
I read in forums and also on searching for soltions I stumbled upon information that I have to both revoke the certificate client that I wish to remove, and also crl-verify.
I revoked the certificate using : "openssl ca -config openssl.cnf -revoke
random.com/certs/cert\@random.com.crt" (i was on the directory /etc/ssl/)
So it revoked it, showing also
B3D77C0422463K39.
I assume crl-verify is actually happening everytime the server negotiates with clients as in the openvpn server config: there is a line in the openvpn.conf of the server; crl-verify /etc/ssl/random.com.crl,
problem is that the actual certificate of clients are not on this server but are on a different server, as this openssl is configured with 2 certificate level.
I can still vpn into the server despite revoking the certificate.
I tried an alternative revoking: "openssl ca -revoke /etc/ssl/random.com/newcerts/B3D77C0422463K39.pem
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./random.com/private/root@random.com.key:
ERROR:Already revoked, serial number B3D77C0422463K39.
Which shows that is already revoked, but I can still vpn.
If the case is that I have to crl-verify, how do i do this?
Another is that because I may be using my private key (cert@random.com.key), and revoking and crl-verification will not work on private keys?
this is the server openvpn.conf:
mode server
tls-server
port 1194
proto udp
dev tap0
ca /etc/ssl/root@random.com.crt
cert /etc/ssl/mat.random.com.crt
key /etc/ssl/private/mat.random.com.key
crl-verify /etc/ssl/random.com.crl
dh /etc/openvpn/dh2048.pem
comp-lzo
keepalive 10 120
persist-key
persist-tun
log-append /var/log/openvpn.log
the openvpn config file is set in a different server which also has its' own keys.
Please help me because I wish to understand this well before I distribute certificates to clients to vpn into my server.
Another question is about -x509; what does it exactly do, and did I have to use this as I read some stuff that it actually contains a prublic key in the private key;
Did I have to use -x509? or what's the best use you can suggest for me on doing this?
cheers,
Uri
Statistics: Posted by uri.steinberger — Thu Feb 27, 2025 2:09 am