Implemented that a Certificate Revocation List is generated during installation after generation of other Public Key Infrastructure. Enabled this CRL in the server config. The added benefit of this is that whenever the user now revokes a client, the change is instant. Whereas before, the first time a client was revoked, the OpenVPN server had to be restarted to enabled the then-newly-generated CRL. This change also makes the file /etc/pivpn/REVOKE_STATUS obsolete.

Documentation: https://openvpn.net/index.php/open-source/documentation/howto.html#revoke
2025-05-15 04:14:19 +02:00 · 2017-09-22 02:46:52 -05:00 · 2017-09-22 02:46:52 -05:00 · 30920115b3
commit 30920115b3
parent c7f82d0116
3 changed files with 6 additions and 21 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -884,6 +884,11 @@ EOF
    # Generate static HMAC key to defend against DDoS
    ${SUDOE} openvpn --genkey --secret pki/ta.key

+    # Generate an empty Certificate Revocation List
+    ${SUDOE} ./easyrsa gen-crl
+    cp pki/crl.pem /etc/openvpn/crl.pem
+    chown nobody:nogroup /etc/openvpn/crl.pem
+
    # Write config file for server using the template .txt file
    $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf

@ -992,10 +997,6 @@ confOVPN() {
    $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
    $SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM

-    # Set status that no certs have been revoked
-    echo 0 > /tmp/REVOKE_STATUS
-    $SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
-
    $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt

    if [[ ${useUpdateVars} == false ]]; then