增加用户:如果你不是第一次创建用户,只需要source ./vars即可
[root@node 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys
[root@node 2.0]# ./build-key mark
Generating a 1024 bit RSA private key
如果你没有关闭此链接终端,在添加只需要./build-key 用户即可
吊销证书:
[root@node 2.0]# ./revoke-full mark
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
mark.crt: C = CN, ST = shanghai, L = Shanghai, O = Fort-Funston, CN = mark, emailAddress = usertzc@163.com
error 23 at 0 depth lookup:certificate revoked
[root@node 2.0]#
吊销完成会生成crl.pem
[root@node keys]# cat crl.pem
-----BEGIN X509 CRL-----
MIIBVzCBwTANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJDTjERMA8GA1UECBMI
c2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMRUwEwYDVQQKEwxGb3J0LUZ1bnN0
b24xEDAOBgNVBAMTB2xpbnV4ZWExHjAcBgkqhkiG9w0BCQEWD3VzZXJ0emNAMTYz
LmNvbRcNMTYwMzEzMTEyMDQ1WhcNMTYwNDEyMTEyMDQ1WjAUMBICAQMXDTE2MDMx
MzExMjA0NVowDQYJKoZIhvcNAQEEBQADgYEAR+GRn1ckiFrTh0A8joXCxu0tJMnw
tQzr4VFEJRTxoe5K4CAXgyKdmuDLgoMCMJkCuc4ltlqVIN5KSBSGE3xwhTVeopiY
GJZkkW5KEpOW7rqrTnzttQpw5jzhsAedoL8E/EBcUvPtYOXCc1tUx81B/ThV8CQS
iotOPDXuqdLK/dw=
-----END X509 CRL-----
[root@node keys]#
查看已经吊销的:(R)
[root@node keys]# cat index.txt
V 260308144601Z 01 unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=server/emailAddress=usertzc@163.com
V 260308145051Z 02 unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com
R 260311112004Z 160313112045Z 03 unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=mark/emailAddress=usertzc@163.com
[root@node keys]#
而后在配置文件夹加上如下:vim server.confcrl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/crl.pem
当然,你也可以这样
crl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/*.pem
只要是keys下的以pem结尾的pem,则全部都掉线
修改完成后reload或者restart openvpn
/etc/init.d/openvpn reload
/etc/init.d/openvpn restart
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
具体如下:
cp keys/crl.pem /etc/openvpn/keys/
echo 'crl-verify /etc/openvpn/keys/crl.pem' >>/etc/openvpn/server.conf
tail -2 /etc/openvpn/server.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
重启vpn服务
/etc/init.d/openvpn restart
重启后图标就绿不了了
不重启和reload的,只需要在将备份的pem文件覆盖吊销后的文件即可:
[root@node keys]# cp crl.pem /tmp/crl.pem.1
[root@node 2.0]# ./revoke-full mark1
[root@node keys]# cat /tmp/crl.pem.1 >> crl.pem
取消吊销人员注释掉crl-verify /etc/openvpn/keys/crl.pem重启服务即可,如果需要单个取消,则吊销每个人员时候需要将吊销后插上的Pem文件特殊存放在单独的文件夹内,在配置文件中添加多行,每行指定一个人员即可,如:1,./revoke-full mark
后会产生一个pem文件2,新建以吊销用户为命名文件夹,将pem复制进去mkdir /etc/openvpn/keys/mark
cp /etc/openvpn/kyes/crl.pem ./mark
3,在配置文件中定义vim server.conf
/etc/openvpn/keys/mark/crl.pem