Multiple certificate revocation in OpenVpn?

M

m5xim2017-06-01 13:59:56

openvpn

m5xim, 2017-06-01 13:59:56

Hello! I have a question about revoking client certificates in OpenVpn. The manual says to revoke a certificate, use the revoke-full command
(

cd ~/openvpn-ca
source vars
./revoke-full clientname
sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn

and it’s clear to specify in the server config
crl-verify crl.pem
)
with the client name and move the crl.pem file to the /etc/openvpn directory, this is understandable, the question is different:
1) if I for example revoke the client1 certificate, time has passed and I need to revoke the client2 certificate, I should I run the revoke-full command on both clients, or just the new one and the old one kept on the list?
2) Also interested in the question, if you create a certificate for an already existing name:
a) a valid certificate
b) a revoked certificate
What will happen? In both cases, access using the old certificate will become unavailable?
3)As far as I know, by default, simultaneous access to one certificate is allowed only from one device, is that correct?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

T

tbob, 2018-12-25
@m5xim

Good afternoon, belated answer, but MB will help someone.
1. When revoking a certificate, an entry is created in index.txt, the sign R and the date of the certificate revocation are affixed. Those. client1 has already been withdrawn and a second procedure is not required.
2. a) if the unique name key is active, a duplicate record will not be created. b) if you correctly revoked the certificate, then the client will not connect anyway, but a new one will be created and will work, it will be assigned a new certificate.
3. You can try to connect from several devices, but due to the conflict of ip addresses, you will not be able to work on them.