This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revision Both sides next revision | ||
content:en_us:7_ug_openvpn [2020/03/25 08:16] 84.9.57.48 |
content:en_us:7_ug_openvpn [2020/03/25 09:03] 84.9.57.48 |
||
---|---|---|---|
Line 127: | Line 127: | ||
===== Revoking Certificates ===== | ===== Revoking Certificates ===== | ||
Currently this is a manual process. Start by initialising the file /etc/pki/CA/crlnumber:<code>echo 1000 > /etc/pki/CA/crlnumber</code> | Currently this is a manual process. Start by initialising the file /etc/pki/CA/crlnumber:<code>echo 1000 > /etc/pki/CA/crlnumber</code> | ||
- | Create a file in /etc/cron.monthly. I used /etc/cron.monthly/openssl_crl. In it put:<code>openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \ | + | Create a file in /etc/cron.monthly. I used /etc/cron.monthly/openssl_crl. In it put:<code>openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -out /etc/pki/CA/crl/crl.pem > /dev/null 2>&1</code>And make the file executable:<code>chmod 0744 /etc/cron.monthly/openssl_crl</code>Then execute the file:<code>/etc/cron.monthly/openssl_crl</code>You should now find you have a file /etc/pki/CA/crl/crl.pem. |
- | -out /etc/pki/CA/crl/crl.pem \ | + | |
- | -keyfile /etc/pki/CA/private/ca-key.pem \ | + | |
- | -cert /etc/pki/CA/ca-cert.pem > /dev/null 2>&1</code>And make the file executable:<code>chmod 0744 /etc/cron.monthly/openssl_crl</code>Then execute the file:<code>/etc/cron.monthly/openssl_crl</code>You should now find you have a file /etc/pki/CA/crl/crl.pem. | + | |
To revoke a certificate, find the file name in /etc/pki/CA. It should be in the form client-{username}-cert.pem and revoke it and regenerate the crl.pem with:<code>openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-{username}-cert.pem | To revoke a certificate, find the file name in /etc/pki/CA. It should be in the form client-{username}-cert.pem and revoke it and regenerate the crl.pem with:<code>openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-{username}-cert.pem |