open***2.2.2吊销客户端证书
1、进入特定的目录,并执行吊销证书的命令
[[email protected]***-server easy-rsa]# cd /tools/open***/open***-2.2.2/easy-rsa/2.0/ [[email protected]***-server 2.0]# ls build-ca build-key-pkcs12 inherit-inter openssl-0.9.8.cnf sign-req build-dh build-key-server keys openssl-1.0.0.cnf vars build-inter build-req list-crl pkitool vars.20170506 build-key build-req-pass Makefile README whichopensslcnf build-key-pass clean-all openssl-0.9.6.cnf revoke-full [[email protected]***-server 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /tools/open***/open***-2.2.2/easy-rsa/2.0/keys、 [[email protected]***-server 2.0]# ./revoke-full test 说明:使用revoke-full 用户,吊销用户的证书 Using configuration from /tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Revoking Certificate 02. Data Base Updated Using configuration from /tools/open***/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf test.crt: C = CN, ST = ZJ, L = HangZhou, O = molewan, OU = molewan, CN = test, name = molewan, emailAddress = [email protected] error 8 at 0 depth lookup:CRL signature failure 140070029928264:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:217:
2、查看吊销证书的信息
[[email protected]***-server 2.0]# cat keys/crl.pem 说明:查看证书的相关信息 -----BEGIN X509 CRL----- MIIBcjCB3DANBgkqhkiG9w0BAQQFADCBljELMAkGA1UEBhMCQ04xCzAJBgNVBAgT AlpKMREwDwYDVQQHEwhIYW5nWmhvdTEQMA4GA1UEChMHbW9sZXdhbjEQMA4GA1UE CxMHbW9sZXdhbjEQMA4GA1UEAxMHbW9sZXdhbjEQMA4GA1UEKRMHbW9sZXdhbjEf MB0GCSqGSIb3DQEJARYQMzE0MzI0NTA2QHFxLmNvbRcNMTcwNTA5MDgwOTM4WhcN MTcwNjA4MDgwOTM4WjAUMBICAQIXDTE3MDUwOTA4MDkzOFowDQYJKoZIhvcNAQEE BQADgYEARaB98TxZIKeEf7JrELHmMQgpjImZVD1KHJ+POE7tuGstz0jzHy3c3Gso dB2pLPJg3HHrWf63AbvwgnHXUjlT4NxJE9OY2rSpidzTIkV5ib5kxjkdUYBxu8bL e2uRwt0Gb+s+VypEGIDxOtCVILe7qtAevaOJksPszkGPoyvLx54= -----END X509 CRL----- [[email protected]***-server 2.0]# cat keys/index.txt V270505134346Z01unknown/C=CN/ST=ZJ/L=HangZhou/O=molewan/OU=molewan/CN=server/name=molewan/[email protected] R270505135734Z170509080938Z02unknown/C=CN/ST=ZJ/L=HangZhou/O=molewan/OU=molewan/CN=test/name=molewan/[email protected] V270505140448Z03unknown/C=CN/ST=ZJ/L=HangZhou/O=molewan/OU=molewan/CN=ett/name=molewan/[email protected] V270507032952Z04unknown/C=CN/ST=ZJ/L=HangZhou/O=molewan/OU=molewan/CN=wanlong/name=molewan/[email protected] V270507034952Z05unknown/C=CN/ST=ZJ/L=HangZhou/O=molewan/OU=molewan/CN=qinwen/name=molewan/[email protected] V270507064737Z06unknown/C=CN/ST=ZJ/L=HangZhou/O=molewan/OU=molewan/CN=xiaobao/name=molewan/[email protected] 说明:以R开头的是被吊销过的
3、将吊销证书的文件拷贝到/etc/open***/keys的目录下
[[email protected]***-server 2.0]# cp keys/crl.pem /etc/open***/keys/ 说明:将生成的crl.pem吊销文件复制到/etc/open***/keys,并在server.conf中加如下的内容,当用户拨入时,open***就会读取吊销列表的客户端 [[email protected]***-server open***]# echo "crl-verify /etc/open***/keys/crl.pem">>/etc/open***/server.conf 第一次吊销证书的时候有效 [[email protected]***-server open***]# ll /etc/open***/keys/crl.pem -rw-r--r-- 1 root root 556 May 9 16:15 /etc/open***/keys/crl.pem
4、证书被吊销后,需要重启open***服务才能生效
[[email protected]***-server open***]# pkill open*** [[email protected]***-server open***]# ps -ef | grep *** root 3112 2391 0 16:18 pts/0 00:00:00 grep *** [[email protected]***-server open***]# /usr/local/sbin/open*** --config /etc/open***/server.conf & [1] 3115 [[email protected]***-server open***]# ps -ef | grep *** | grep -v grep root 3115 2391 0 16:19 pts/0 00:00:00 /usr/local/sbin/open*** --config /etc/open***/server.conf
5、查看被吊销的用户test拨号的效果
转载于:https://blog.51cto.com/molewan/1923759