Reply To: huge problems with revokation of certs

Home Page Forums Network Management ZeroShell huge problems with revokation of certs Reply To: huge problems with revokation of certs

#48355

misterplow
Member

The way that OpenVPN works is that each time you revoke a certificate it generates/updates a CRL (certificate revocation list) file, against which it checks incoming client connection requests. Even though you may revoke multiple client certificates, the CRL is just one key, against which multiple clients keys can generate a hit/match.

You can find the crl.pem file that ZS uses at the location of:

/Database/etc/ssl/crl.pem

So, if you start the OpenVPN server process with the option of

--crl-verify /Database/etc/ssl/crl.pem

It will then reject any certificates that you have revoked.

The BIG CATCH is that if you delete a user without first revoking the user’s cert, that user/cert will still be able to connect (as you have noticed, which is probably not what you want).

In the case you forgot to revoke the cert before deleting the user, you’ll have to have access to the cert and private key for the user you mistakenly deleted. If you don’t have access to these two files then you’re probably screwed 😉

Assuming you DO have the cert/private key of the deleted user, you need to go in and manually swap it in for the cert+key of the “tempuser”

  1. create a new user in the ZS gui (doesn’t have to be the same as the original username)
  2. using an ssh session into your ZS box, do the following:

    root@zeroshell root> mv /Database/etc/ssl/certs/_user.pem /Database/etc/ssl/certs/_user.pem.orig;vi /Database/etc/ssl/certs/_user.pem

    (paste the _user.pem certificate contents and save)

  3. do the same for the key file located in /Database/etc/ssl/certs/_user.pem, this time pasting in the keyfile contents
  4. now go back into the GUI and revoke the certificate for the . This revocation should trigger an automatic restart of the affected openvpn server process as long as you have started it with the –crl-verify option as listed above.
  5. once this is done, you can delete the _user.pem files and then rename the _user.pem.orig back to the original _user.pem if you need to keep this temporary user and/or its information for some reason

Once again, just be aware that each time you revoke a certificate against an openvpn server instance where it’s been started with the crl-verify option, you will reset that process and thus kick off all clients briefly.