SRE文档

深浅模式

❌ 注意

吊销证书

[root@openvpn ~]# cd /etc/openvpn/easy-rsa/
[root@openvpn easy-rsa]# ./easyrsa revoke dalin

Note: using Easy-RSA configuration from: ./vars


Please confirm you wish to revoke the certificate with the following subject:

subject= 
    commonName                = dalin


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Revoking Certificate 06.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@openvpn easy-rsa]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: ./vars
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
[root@openvpn ~]# cd /etc/openvpn/easy-rsa/
[root@openvpn easy-rsa]# ./easyrsa revoke dalin

Note: using Easy-RSA configuration from: ./vars


Please confirm you wish to revoke the certificate with the following subject:

subject= 
    commonName                = dalin


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Revoking Certificate 06.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@openvpn easy-rsa]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: ./vars
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

❌ 注意

执行上述命令后用户证书不会被删除,只是更新了 crl.pem 文件,可以看到上面的提示,文件位置在 /etc/openvpn/easy-rsa/pki/crl.pem

[root@openvpn easy-rsa]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V    280825082643Z        01    unknown    /CN=server
R    280826061455Z    181211135800Z    03    unknown    /CN=dalin

V 为可用
R 为注销
[root@openvpn easy-rsa]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V    280825082643Z        01    unknown    /CN=server
R    280826061455Z    181211135800Z    03    unknown    /CN=dalin

V 为可用
R 为注销
  • 改配置文件
[root@openvpn easy-rsa]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

#重启服务

#删除有关用户的文件
[root@openvpn openvpn]# find . -type f -name "dalin.*" | xargs rm
[root@openvpn easy-rsa]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

#重启服务

#删除有关用户的文件
[root@openvpn openvpn]# find . -type f -name "dalin.*" | xargs rm