Skip to content

Commit a091bef

Browse files
buchdagbuchdag
committed
Create a script to handle client revocation
This script revoke the certificate corresponding to the commonName passed as first parameter, generate a new CRL, copies it to /etc/openvpn, make it readable by OpenVPN and optionally remove the crt, key and req file corresponding to the revoked certificate using "remove" as second parameter (removal of those files are required to generate a new client certificate using the revoked certificate's CN).
1 parent 59644d9 commit a091bef

File tree

1 file changed

+61
-0
lines changed

1 file changed

+61
-0
lines changed

bin/ovpn_revokeclient

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
#!/bin/bash
2+
3+
#
4+
# Revoke a client certificate
5+
#
6+
7+
if [ "$DEBUG" == "1" ]; then
8+
set -x
9+
fi
10+
11+
set -e
12+
13+
if [ -z "$OPENVPN" ]; then
14+
export OPENVPN="$PWD"
15+
fi
16+
if ! source "$OPENVPN/ovpn_env.sh"; then
17+
echo "Could not source $OPENVPN/ovpn_env.sh."
18+
exit 1
19+
fi
20+
if [ -z "$EASYRSA_PKI" ]; then
21+
export EASYRSA_PKI="$OPENVPN/pki"
22+
fi
23+
24+
cn="$1"
25+
parm="$2"
26+
27+
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
28+
echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
29+
exit 1
30+
fi
31+
32+
revoke_client_certificate(){
33+
easyrsa revoke "$1"
34+
echo "Generating the Certificate Revocation List :"
35+
easyrsa gen-crl
36+
cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
37+
chmod 644 "$OPENVPN/crl.pem"
38+
}
39+
40+
remove_files(){
41+
rm -v "$EASYRSA_PKI/issued/${1}.crt"
42+
rm -v "$EASYRSA_PKI/private/${1}.key"
43+
rm -v "$EASYRSA_PKI/reqs/${1}.req"
44+
}
45+
46+
case "$parm" in
47+
"remove")
48+
revoke_client_certificate "$cn"
49+
remove_files "$cn"
50+
;;
51+
"" | "keep")
52+
revoke_client_certificate "$cn"
53+
;;
54+
*)
55+
echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2
56+
echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2
57+
echo " 1. keep (default): Keep the files." >&2
58+
echo " 2. remove: Remove the files." >&2
59+
echo "Please specify one of those options as second parameter." >&2
60+
;;
61+
esac

0 commit comments

Comments
 (0)