ovpn: Add support for revoking certificates (CRL)

* Add this much needed missing feature. Easy RSA makes it... easy.
2015-05-11 10:33:56 -07:00 · 2015-05-11 10:33:56 -07:00 · 5021bad597
commit 5021bad597
parent bcb55f6255
2 changed files with 14 additions and 0 deletions
--- a/bin/ovpn_genconfig
+++ b/bin/ovpn_genconfig
@ -160,6 +160,7 @@ ca $EASYRSA_PKI/ca.crt
 cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
 dh $EASYRSA_PKI/dh.pem
 tls-auth $EASYRSA_PKI/ta.key
+crl-verify $EASYRSA_PKI/crl.pem
 key-direction 0
 keepalive 10 60
 persist-key
@ -177,6 +178,10 @@ user nobody
 group nogroup
 EOF

+
+# Create an empty CRL
+[ ! -f "$EASYRSA_PKI/crl.pem" ] && touch $EASYRSA_PKI/crl.pem
+
 [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.8.8" >> "$conf"
--- a/docs/clients.md
+++ b/docs/clients.md
@ -26,3 +26,12 @@ After doing so, you will find the following files in each of the `$cn` directori
    $cn.crt
    $cn.key
    ta.key
+
+## Revoking Client Certificates
+
+Revoke `client1`'s certificate and generate the certificate revocation list (CRL):
+
+    docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn easyrsa revoke client1
+    docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn easyrsa gen-crl
+
+The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates.