2
Open SSL Zertifikat löschen
mit OpenVPN erstellte Zertifikate löschen
Hallo,
ich habe bei uns in der Firma OpenVPN eingerichtet und ein Zertifikat erstellt. Hierbei wir ja bekanntlich OpenSSL verwendet.
Nun wollte ich eines der Zertifikate wieder "löschen" oder "netziehen", damit die OpenVPN Verbindung abgelegt wird.
Wie kann ich das Zertifikat aus der Datenbank löschen?
Ich habe leider hier nur Einträge zu Windows 2003 Servern dazu gefunden und bin aus der Doku auch nicht schlau geworden.
Schöne Grüße
DerLenhart
ich habe bei uns in der Firma OpenVPN eingerichtet und ein Zertifikat erstellt. Hierbei wir ja bekanntlich OpenSSL verwendet.
Nun wollte ich eines der Zertifikate wieder "löschen" oder "netziehen", damit die OpenVPN Verbindung abgelegt wird.
Wie kann ich das Zertifikat aus der Datenbank löschen?
Ich habe leider hier nur Einträge zu Windows 2003 Servern dazu gefunden und bin aus der Doku auch nicht schlau geworden.
Schöne Grüße
DerLenhart
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 44018
Url: https://administrator.de/contentid/44018
Printed on: April 25, 2024 at 04:04 o'clock
2 Comments
Latest comment
hallo lenhart!
Revoking Certificates with your OpenSSL CA
(And telling people about this using CRLs)
Note. For this to work, you'll need anything that trusts your certificates to check the latest CRL (Certificate Revokation List), otherwise They won't know you've revoked the certificate.
Note 2. Not all of the files you need for doing CRLs can be specified on the command line, however the config file to use can be (with -config <file>). Therefore, you really need to customise an openssl.cnf file for each CA you run before doing this step, otherwise you'll come unstuck.
First up, you need to create a CRL. It is good practice to create a blank CRL straight off, and have your clients check it. That way, when you do come to revoke a certificate, you don't then have the trouble of getting people to notice.
To create a CRL for your CA, you first need to create an index file. This will initially just be a blank file (created with touch). However, as you start to revoke certificates, things will go into here. It's human readable and unsigned, which is why we need to use OpenSSL to make the signed PEM form of it.
So, once you've got your empty index file (in wherever the openssl.cnf file you've got say's it'll be.... why can't that be a command line option like everything else?), then you can make a CRL from it using:
openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
This will create a CRL for you, valid for the default length of time (1 month in most OpenSSl versions). In the case that the CRL is being used only on boxes you control, and where you are sure you'll update the CRL on following revocation, you'll probably want to increase the lifetime of the crl. Otherwise, a few months down the line, your servers will complain the CRL is out of date...
To increase the length of time the CRL is valid for, tack on the option -crldays xxx to the crl command above (where xxx is the number of days to be valid for)
Note - If your CRL expires before you revoke a certificate, just generate a new one, as above. The CRL is simply a signed copy of the internal list of revoked certificates, along with a validity date and placed into a standard format. There's nothing magical about it, you can create a new one whenever you want.
Now, with your initial CRL set up, we revoke a certificate:
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
This will automagically update your index.txt file with the new details of your revoked certificate. Now you need to generate a new CRL file, with the same command we used above to generate the blank one. With your new CRL created, you need to publish it!
If you want to play around with the validity period of the CRL, or other funky stuff to do with it, then you need to read the "CRL Options" section of the OpenSSL CA manual. If you need to manipulate, view etc a CRL, then take a look at the CRL utility manual.
To ensure that your Apache mod_ssl and/or OpenSSL environment make us of the CRL, take a look at the Installing CRLs page.
To peek at a CRL file, showing things like the validity and what certificates (if any) have been revoked, use:
openssl crl -in crl_file -noout -text
mehr infos unter: http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke
noch fragen??
saludos
gnarff
Revoking Certificates with your OpenSSL CA
(And telling people about this using CRLs)
Note. For this to work, you'll need anything that trusts your certificates to check the latest CRL (Certificate Revokation List), otherwise They won't know you've revoked the certificate.
Note 2. Not all of the files you need for doing CRLs can be specified on the command line, however the config file to use can be (with -config <file>). Therefore, you really need to customise an openssl.cnf file for each CA you run before doing this step, otherwise you'll come unstuck.
First up, you need to create a CRL. It is good practice to create a blank CRL straight off, and have your clients check it. That way, when you do come to revoke a certificate, you don't then have the trouble of getting people to notice.
To create a CRL for your CA, you first need to create an index file. This will initially just be a blank file (created with touch). However, as you start to revoke certificates, things will go into here. It's human readable and unsigned, which is why we need to use OpenSSL to make the signed PEM form of it.
So, once you've got your empty index file (in wherever the openssl.cnf file you've got say's it'll be.... why can't that be a command line option like everything else?), then you can make a CRL from it using:
openssl ca -gencrl -keyfile ca_key -cert ca_crt -out my_crl.pem
This will create a CRL for you, valid for the default length of time (1 month in most OpenSSl versions). In the case that the CRL is being used only on boxes you control, and where you are sure you'll update the CRL on following revocation, you'll probably want to increase the lifetime of the crl. Otherwise, a few months down the line, your servers will complain the CRL is out of date...
To increase the length of time the CRL is valid for, tack on the option -crldays xxx to the crl command above (where xxx is the number of days to be valid for)
Note - If your CRL expires before you revoke a certificate, just generate a new one, as above. The CRL is simply a signed copy of the internal list of revoked certificates, along with a validity date and placed into a standard format. There's nothing magical about it, you can create a new one whenever you want.
Now, with your initial CRL set up, we revoke a certificate:
openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt
This will automagically update your index.txt file with the new details of your revoked certificate. Now you need to generate a new CRL file, with the same command we used above to generate the blank one. With your new CRL created, you need to publish it!
If you want to play around with the validity period of the CRL, or other funky stuff to do with it, then you need to read the "CRL Options" section of the OpenSSL CA manual. If you need to manipulate, view etc a CRL, then take a look at the CRL utility manual.
To ensure that your Apache mod_ssl and/or OpenSSL environment make us of the CRL, take a look at the Installing CRLs page.
To peek at a CRL file, showing things like the validity and what certificates (if any) have been revoked, use:
openssl crl -in crl_file -noout -text
mehr infos unter: http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke
noch fragen??
saludos
gnarff
Hallo,
ja danke, hat bestens geklappt.
Schönen Gruß
Lennart
ja danke, hat bestens geklappt.
Schönen Gruß
Lennart
