OpenVPN吊销用户和增加用户(3)

增加用户:
如果你不是第一次创建用户,只需要source ./vars即可

[root@node 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys
[root@node 2.0]# ./build-key mark
Generating a 1024 bit RSA private key

如果你没有关闭此链接终端,在添加只需要./build-key 用户即可

吊销证书:

[root@node 2.0]# ./revoke-full mark
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf
mark.crt: C = CN, ST = shanghai, L = Shanghai, O = Fort-Funston, CN = mark, emailAddress = usertzc@163.com
error 23 at 0 depth lookup:certificate revoked
[root@node 2.0]# 

吊销完成会生成crl.pem

[root@node keys]# cat crl.pem 
-----BEGIN X509 CRL-----
MIIBVzCBwTANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJDTjERMA8GA1UECBMI
c2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMRUwEwYDVQQKEwxGb3J0LUZ1bnN0
b24xEDAOBgNVBAMTB2xpbnV4ZWExHjAcBgkqhkiG9w0BCQEWD3VzZXJ0emNAMTYz
LmNvbRcNMTYwMzEzMTEyMDQ1WhcNMTYwNDEyMTEyMDQ1WjAUMBICAQMXDTE2MDMx
MzExMjA0NVowDQYJKoZIhvcNAQEEBQADgYEAR+GRn1ckiFrTh0A8joXCxu0tJMnw
tQzr4VFEJRTxoe5K4CAXgyKdmuDLgoMCMJkCuc4ltlqVIN5KSBSGE3xwhTVeopiY
GJZkkW5KEpOW7rqrTnzttQpw5jzhsAedoL8E/EBcUvPtYOXCc1tUx81B/ThV8CQS
iotOPDXuqdLK/dw=
-----END X509 CRL-----
[root@node keys]# 

查看已经吊销的:(R)

[root@node keys]# cat index.txt
V   260308144601Z       01  unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=server/emailAddress=usertzc@163.com
V   260308145051Z       02  unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com
R   260311112004Z   160313112045Z   03  unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=mark/emailAddress=usertzc@163.com
[root@node keys]# 

而后在配置文件夹加上如下:
vim server.conf
crl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/crl.pem

当然,你也可以这样

crl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/*.pem

只要是keys下的以pem结尾的pem,则全部都掉线

修改完成后reload或者restart openvpn

/etc/init.d/openvpn reload
/etc/init.d/openvpn restart
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
具体如下:
cp keys/crl.pem /etc/openvpn/keys/
echo 'crl-verify /etc/openvpn/keys/crl.pem' >>/etc/openvpn/server.conf
tail -2 /etc/openvpn/server.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

重启vpn服务

/etc/init.d/openvpn restart

重启后图标就绿不了了

不重启和reload的,只需要在将备份的pem文件覆盖吊销后的文件即可:

[root@node keys]# cp crl.pem /tmp/crl.pem.1
[root@node 2.0]# ./revoke-full mark1
[root@node keys]# cat /tmp/crl.pem.1 >> crl.pem

取消吊销人员注释掉crl-verify /etc/openvpn/keys/crl.pem重启服务即可,如果需要单个取消,则吊销每个人员时候需要将吊销后插上的Pem文件特殊存放在单独的文件夹内,在配置文件中添加多行,每行指定一个人员即可,如:
1,./revoke-full mark后会产生一个pem文件
2,新建以吊销用户为命名文件夹,将pem复制进去
mkdir /etc/openvpn/keys/mark
cp /etc/openvpn/kyes/crl.pem ./mark
3,在配置文件中定义
vim server.conf
/etc/openvpn/keys/mark/crl.pem

3 分享

您可以选择一种方式赞助本站

支付宝扫码赞助

支付宝扫码赞助

日期: 2016-03-13分类: Openvpn

标签: openvpn

发表评论

仅有一条评论

加载中,请稍候...
  1. 尜俊
    尜俊
    August 10th, 2018 at 12:35 pm

    通配吊销*.pem 不支持,重启服务认为参数错误