OpenVPN吊销用户和增加用户(3)

系统运维 2023-07-15 Escape 手机阅读

增加用户：如果你不是第一次创建用户，只需要source ./vars即可

[root@node 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys
[root@node 2.0]# ./build-key mark
Generating a 1024 bit RSA private key

如果你没有关闭此链接终端，在添加只需要./build-key 用户即可

吊销证书：

[root@node 2.0]# ./revoke-full mark
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
mark.crt: C = CN, ST = shanghai, L = Shanghai, O = Fort-Funston, CN = mark, emailAddress = usertzc@163.com
error 23 at 0 depth lookup:certificate revoked
[root@node 2.0]#

吊销完成会生成crl.pem

[root@node keys]# cat crl.pem 
-----BEGIN X509 CRL-----
MIIBVzCBwTANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJDTjERMA8GA1UECBMI
c2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMRUwEwYDVQQKEwxGb3J0LUZ1bnN0
b24xEDAOBgNVBAMTB2xpbnV4ZWExHjAcBgkqhkiG9w0BCQEWD3VzZXJ0emNAMTYz
LmNvbRcNMTYwMzEzMTEyMDQ1WhcNMTYwNDEyMTEyMDQ1WjAUMBICAQMXDTE2MDMx
MzExMjA0NVowDQYJKoZIhvcNAQEEBQADgYEAR+GRn1ckiFrTh0A8joXCxu0tJMnw
tQzr4VFEJRTxoe5K4CAXgyKdmuDLgoMCMJkCuc4ltlqVIN5KSBSGE3xwhTVeopiY
GJZkkW5KEpOW7rqrTnzttQpw5jzhsAedoL8E/EBcUvPtYOXCc1tUx81B/ThV8CQS
iotOPDXuqdLK/dw=
-----END X509 CRL-----
[root@node keys]#

查看已经吊销的：（R）

[root@node keys]# cat index.txt
V    260308144601Z        01    unknown    /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=server/emailAddress=usertzc@163.com
V    260308145051Z        02    unknown    /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com
R    260311112004Z    160313112045Z    03    unknown    /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=mark/emailAddress=usertzc@163.com
[root@node keys]#

而后在配置文件夹加上如下：vim server.confcrl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/crl.pem

当然，你也可以这样

crl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/*.pem

只要是keys下的以pem结尾的pem，则全部都掉线

修改完成后reload或者restart openvpn

/etc/init.d/openvpn reload
/etc/init.d/openvpn restart
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
具体如下：
cp keys/crl.pem /etc/openvpn/keys/
echo 'crl-verify /etc/openvpn/keys/crl.pem' >>/etc/openvpn/server.conf
tail -2 /etc/openvpn/server.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++