container-openvpn/bin/ovpn_revokeclient
2022-06-07 16:40:54 -07:00

75 lines
2.0 KiB
Bash
Executable File

#!/bin/bash
#
# Revoke a client certificate
#
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
echo "Could not source $OPENVPN/ovpn_env.sh."
exit 1
fi
if [ -z "$EASYRSA_PKI" ]; then
export EASYRSA_PKI="$OPENVPN/pki"
fi
cn="$1"
parm="$2"
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
exit 1
fi
revoke_client_certificate(){
# Download EasyRSA because Ubuntu doesn't have it as a CLI command
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvf EasyRSA-unix-v3.0.6.tgz
export EASYRSA="EasyRSA-v3.0.6/"
export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
cp -r EasyRSA-v3.0.6/x509-types/ x509-types/
EasyRSA-v3.0.6/easyrsa revoke "$1"
echo "Generating the Certificate Revocation List :"
EasyRSA-v3.0.6/easyrsa gen-crl
cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
chmod 644 "$OPENVPN/crl.pem"
# Remove EasyRSA files when we're done
rm -r EasyRSA-v3.0.6/
rm EasyRSA-unix-v3.0.6.tgz
rm -r x509-types/
}
remove_files(){
rm -v "$EASYRSA_PKI/issued/${1}.crt"
rm -v "$EASYRSA_PKI/private/${1}.key"
rm -v "$EASYRSA_PKI/reqs/${1}.req"
}
case "$parm" in
"remove")
revoke_client_certificate "$cn"
remove_files "$cn"
;;
"" | "keep")
revoke_client_certificate "$cn"
;;
*)
echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2
echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2
echo " 1. keep (default): Keep the files." >&2
echo " 2. remove: Remove the files." >&2
echo "Please specify one of those options as second parameter." >&2
;;
esac