반응형
Client Key 파기
> cd /etc/openvpn/easy-rsa
> ./easyrsa revoke client1
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = client1
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-21300.R6aokl/tmp.HZFco9
# ca.key 의 패스워드 입력
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Revoking Certificate 420431A2B2FF3E9BFA9CD17E6995DE35.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
Key 확인
- V : 유효한 Key
- R : 파기된 Key
> cd /etc/openvpn/easy-rsa
> cat pki/index.txt
V 240501065938Z B7A58A44B52592D8CF7E7FFADAE6F990 unknown /CN=server
V 240501070328Z F0329B34A91A5AB1E9F766CBD47C8C44 unknown /CN=client2
R 240501090043Z 220127093355Z 420431A2B2FF3E9BFA9CD17E6995DE35 unknown /CN=client1
Server crl.pem 적용
- revoke 로 key를 파기한 후 crl.pem을 server.conf에 적용 후 재시작해야만 최종 key 파기 완료.
- crl.pem 생성
> ./easyrsa gen-crl
...
# ca.key 패스워드 입력
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
- server.conf 적용
> vim /etc/openvpn/server.conf
...
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
...
- key 파기시마다 crl.pem을 재생성하고 openvpn을 재시작해줘야함.
- 물론 client key를 revoke하는 순간 부터 접속은 불가함.
- key 추가는 openvpn 재시작 및 crl.pem 재생성이 필요없음.
반응형
'시스템 > OpenVPN' 카테고리의 다른 글
[OpenVPN] openvpn-monitor 설치하기(docker) (0) | 2022.08.11 |
---|---|
[OpenVPN] AD(Active Directory) 연동 (0) | 2022.05.12 |
[OpenVPN] PAM인증을 통한 Client ID/PASSWORD 방식 접속 (2) | 2022.05.12 |
[OpenVPN] Server 구축 및 Client.ovpn 생성(인증서 기반) (2) (0) | 2022.05.12 |
[OpenVPN] Server 구축 및 Client.ovpn 생성(인증서 기반) (1) (0) | 2022.05.11 |