epcim
1/13/2016 - 2:18 PM

openvpn easy-rsa certs (+revoke)

openvpn easy-rsa certs (+revoke)

easy-rsa 3.x

https://github.com/OpenVPN/easy-rsa/tree/master/doc

Init:

  wget https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
  tar xzvf EasyRSA-3.0.1.tgz
  cd EasyRSA-3*
  vim vars # var.example
  ./easyrsa init-pki
  ./easyrsa build-ca

Revoke

  . vars
  ./easyrsa revoke NAME
  ./easyrsa gen-crl
  
  cp $KEY_DIR/crl.pem ..
  vim /etc/openvpn/server.conf #add: crl-verify /etc/openvpn/crl.pem
  /etc/init.d/openvpn reload

easy-rsa 2.0

http://blog.remibergsma.com/2013/02/27/improving-openvpn-security-by-revoking-unneeded-certificates/

Init: #TODO

  . vars
  ./build-ca (or pkitool)

Revoke:

  cd /etc/openvpn/easy-rsa/
  wget https://raw.githubusercontent.com/OpenVPN/easy-rsa-old/master/easy-rsa/2.0/revoke-full
  chmod u+x revoke-full
  
  . vars
  ./revoke-full NAME
  
  cp $KEY_DIR/crl.pem ..
  vim /etc/openvpn/server.conf #add: crl-verify /etc/openvpn/crl.pem
  /etc/init.d/openvpn reload