본문 바로가기

시스템/OpenVPN

[OpenVPN] Client Key 파기 + Key 관리

반응형

Client Key 파기

> cd /etc/openvpn/easy-rsa
> ./easyrsa revoke client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


Please confirm you wish to revoke the certificate with the following subject:

subject= 
    commonName                = client1


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-21300.R6aokl/tmp.HZFco9

# ca.key 의 패스워드 입력
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Revoking Certificate 420431A2B2FF3E9BFA9CD17E6995DE35.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

 

 

Key 확인

  • V : 유효한 Key
  • R : 파기된 Key
> cd /etc/openvpn/easy-rsa
> cat pki/index.txt
V	240501065938Z		B7A58A44B52592D8CF7E7FFADAE6F990	unknown	/CN=server
V	240501070328Z		F0329B34A91A5AB1E9F766CBD47C8C44	unknown	/CN=client2
R	240501090043Z	220127093355Z	420431A2B2FF3E9BFA9CD17E6995DE35	unknown	/CN=client1

 

 

Server crl.pem 적용

  • revoke 로 key를 파기한 후 crl.pem을 server.conf에 적용 후 재시작해야만 최종 key 파기 완료.
  • crl.pem 생성
> ./easyrsa gen-crl

...
# ca.key 패스워드 입력
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

 

  • server.conf 적용
> vim /etc/openvpn/server.conf
...
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
...

 

  • key 파기시마다 crl.pem을 재생성하고 openvpn을 재시작해줘야함.
  • 물론 client key를 revoke하는 순간 부터 접속은 불가함.
  • key 추가는 openvpn 재시작 및 crl.pem 재생성이 필요없음.
반응형