Closed scopenco closed 4 years ago
The current execute that generates CRL is broken. CRL should be updated using CA certificate, not the client certificate (server.crt).
How to test:
export KEY_CN=server && \ . /etc/openvpn/easy-rsa/vars && \ openssl ca -revoke /etc/openvpn/keys/TESTUSER.crt \ -config /etc/openvpn/easy-rsa/openssl.cnf
gencrl
export KEY_CN=MYORG && \ openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf -gencrl \ -keyfile /etc/openvpn/keys/server.key \ -cert /etc/openvpn/keys/server.crt \ -out /etc/openvpn/keys/crl.pem
After that you still will be able to log in using revoked certificate. The correct revoke will be using ca.crt
export KEY_CN=server && \ openssl ca -config /etc/openvpn/easy-rsa/openssl.cnf -gencrl \ -keyfile /etc/openvpn/keys/ca.key \ -cert /etc/openvpn/keys/ca.crt \ -out /etc/openvpn/keys/crl.pem
Fix in PR.
Generated by :no_entry_sign: Danger
Hey,
Thank you for the PR. We are closing due to inactivity. If you feel this feature should be merged in, please reopen and rebase as your contributions are always welcome.
Sous Chefs
The current execute that generates CRL is broken. CRL should be updated using CA certificate, not the client certificate (server.crt).
How to test:
gencrl
executeAfter that you still will be able to log in using revoked certificate. The correct revoke will be using ca.crt
Fix in PR.