Page MenuHomeVyOS Platform
Create Task
Maniphest T6896

OpenVPN change CRL revoke without restart
Needs testing, HighPublicBUG
Actions

Description

Add ability for interfaces openvpn do not restart/drop all clients per CRL revoke.
It does not require restarting the service, according to https://openvpn.net/community-resources/controlling-a-running-openvpn-process/

The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default).

Current behavior:
Each time when you revoke one certificate, it resets connections for all clients (pki crl commit)

In the 1.3, a restart was not required

Example of config:

set interfaces dummy dum0 address '203.0.113.1/32'
set interfaces openvpn vtun10 encryption data-ciphers 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '203.0.113.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '10.10.0.10'
set interfaces openvpn vtun10 server client client2 ip '10.10.0.11'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '203.0.113.1'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'ca'
set interfaces openvpn vtun10 tls certificate 'cert'
set interfaces openvpn vtun10 tls dh-params 'dh'
set interfaces openvpn vtun10 tls tls-version-min '1.0'
set pki ca ca certificate 'MIIDoTCCAomgAwIBAgIUDB7GMbRHC3/Xuwz/ogjz7fZOm8gwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTAzN1oXDTI5MTIwMjA5NTAzN1owWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqACEiyk5ZwBB2zH7pKQU7GVr/0OBlaQ7mRPFMdt7YNaCb6Ww7mWBwdrww1Z9JZaZ2Sn7O5/tXln3E0EE7QJtGf/4JkV4F8le6dUXsjP2Bz/H5Fy30B/19Yw9k1no3q4yuce1ALEEZfbOpB+Q6caadVG/QD2pE/SPegWKNXC5RRs0PwqP+0po107Rn7Gt70BOgKTWkK4Wk9tpmUPZDbH/oaHGlsQgZ6Er1Z3k70BOryDF+/UbT7LKgBPJrXLzVMNpipdXs2W1Ty67iUuW7+ouVrDFv4hwNtfmYRXeSWh9Sg0zLdMg3c9QGv8FRhRfkjO+iA7cHr2+hOTpizzwxvqdOwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQBfckfDuCSYPZwGnNqo148Pj5I+hHEij9xRiUFV2RFr/z5jFSEqzI7jCUAyTX0m0ODU2yNl6STCVqiZIChMzSMMLNOEeq90xJZMr/DWK87xXNY9tqmF3Kg0pZ/xWajfBL2S1LCNv6tGFC81MpA0RL/RiUnuhq/zDNyWro/Y1DivzqO1jDYbHewUOogwj5Ou6ynnzRdlIZY+6C+juE7DWZbw0b0Hzm9EBplfs3PKYjX8fn+BuCrPSs45cl/8tUXDPwN+XdDSWfPEOHBImenXusP0Sv1VPoRXl3mjIgAs/nFa5T6qyXCteaEFn/zuj99N1USXJBm3QBV8U3eMGyQmLiSD'
set pki ca ca private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCoAISLKTlnAEHbMfukpBTsZWv/Q4GVpDuZE8Ux23tg1oJvpbDuZYHB2vDDVn0llpnZKfs7n+1eWfcTQQTtAm0Z//gmRXgXyV7p1ReyM/YHP8fkXLfQH/X1jD2TWejerjK5x7UAsQRl9s6kH5Dpxpp1Ub9APakT9I96BYo1cLlFGzQ/Co/7SmjXTtGfsa3vQE6ApNaQrhaT22mZQ9kNsf+hocaWxCBnoSvVneTvQE6vIMX79RtPssqAE8mtcvNUw2mKl1ezZbVPLruJS5bv6i5WsMW/iHA21+ZhFd5JaH1KDTMt0yDdz1Aa/wVGFF+SM76IDtwevb6E5OmLPPDG+p07AgMBAAECggEAT6szL6UEfiZelJpO2cQf0fzEqp/yJyrjQlPgSyTojMMcxuI9lcfYMTxouVFd9oHFAnlIlP1hvMEQDHbkZZqlb1N183w1F56cXmn5mz3N2aEy40Xeuxk089Ul7CcSaesUzgn4+VN4oPvaAXWgrGPMon76IXY8JGTw1y4iXPZQPYcDvZiUgvd7vRnTcoI7ZY06jWBB3qC2YNSacP7OFUuEdwWqj7yF1YnAggmZy85udXdQGd/u6IEFq11RH7UsIsC793JvrtJ7HjAW4oMLqSzz04kdosTkU9yHgzMD4qpf3CPe0mw0wS83usSKdZ4FniirdYc1In/10gjmfBmkH6rx1QKBgQDmzLNa2boA226LU/k+IeQO4CDMxZzvPNwNybU0It8nuVe22WPvLNzmpnPLsWlFEXxPaM/StrjkYKLf+PuhgsigNqiRQ17j6RKLAnacfWlTdLsbOqvGw5N1ffBnNDCW7MXxM08eRznlmRyatPKFqg/QPxNGRmITsq8YFhwtUh3sJwKBgQC6WICEKJHjHwYRBeRmQ+nN120y1gexdPK4dCz8xClU9+sXBbGQHheeN8JS0xNghOdj0jz86ReAg4G6sN48jnbmEv/nQbHzVbMsPhTeZ/AtPQOhgA0btehTSPZMWMYOrmaMDJq13AtLl98WKcBXYfZO3Vy+9qygzPUKZ8uG9K6uzQKBgQDROrlNnxv0Mvkf7dyB6w9oPN7/RBZk+3MyPK28ufA7ftZ5uNHTvYP0xOksu4SHTLa49neQun0a7FA7YugbHwjp1SMzrTOUwXJB+tW0QCz/r07//ExFQH+pf6Y0qSdzaup3IuCSvldKQWehCHDjo6v6SXQbvSqkWNRKraCVpV/i+QKBgFODNF2GPRN3pOVeKaU3TIImyNaemyYJjnnh/wNs+kUNMrvHnnNDOTx8KseptyZribPv1ctWv2SmCy7a805aXqjv3OYMSC8QulLao8mk9Tug+46Wb8l6ddtVeKRwqJqNyIF9aJyWOC2xq5YoMf43dgaUKGug627JTAxUxh7+a4cFAoGAXjzlCBzXZKDirXMMSwjUfch9UbPbDDd6rKeRWYfeE97bQMYvknayycy6HBScbxZPvm4PThNLeyxLMmCwjRxtgmRlmBtusqmo/siSgdHRSqji2GeT1hqW+leYrffXA9gYcRdr5WAvJmRm7R1KXrXFr3dmOfyLYTw6ADRwOks+QKg='
set pki certificate cert certificate 'MIIDtTCCAp2gAwIBAgIUQqv1khJjjUfMST0S7a+o4Ogye+MwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTQ0OVoXDTM0MTIwMTA5NTQ0OVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wxOwPH99GFgR8UUTwtS0peRVMp3JMBPedhUtCEfkpzL0fMsQOcVODoHjZ00DBa0RYEppeVrzbYpEbBUhergiqqZfYk/2oJqD232fw3wcxaHPRd6rjVSFvbahvQL3ubSxUWCGk53jyhSbwkk+/B/TgH0NWDaKSS01f5ynUfqYiElssPZ+ozGfacM5cEvHBHxsBu3PxhqkOZ3sBnj0tZ9MF9Xmtd9ZwhEk31rNEhKVblFAKx2LQBBbr17foV3j60xgwcBPiI6N5G9Ec8Jaf99IjP4x0WSKJ+ZreUhxx3FHFeKOTREOUksAR9iN4QF2BgQ6fbGHkSQUh2ZmUIhrDVprwIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUVrWI4aY4VveAw5PHOKBd2XnVNjAwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAEa5jQZNXzILsomBvpCO3Mu93zluS37KysJA/mk3a1uhTs5OVDbAVe/POT87bRL4W0VPDJHpb/nfh10lSCyykNV4SqPwDn3LIfBoLZeFmT9tHeyGfLQDs6ybdhEluSI8yDApi/tUIaDe+eObiO1v/zhZbsOmmZSzmNf4yVRP5PPgStfG1tymXZjW8UNjvxo71+1L2+mSNFmhXA8u0XA/xF4nFfYaBCCXyZJbgnZIiBXWTU9H1IMMZi5N8RS26Weg47ZYspndy1+Mnbuh3d8mScqi9NDR1wwuenVqE57mE+kerJ/cLKVBz0siCz2YPSOSjzl+vA2CzVAFtrw8dtndOX8='
set pki certificate cert private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfDE7A8f30YWBHxRRPC1LSl5FUynckwE952FS0IR+SnMvR8yxA5xU4OgeNnTQMFrRFgSml5WvNtikRsFSF6uCKqpl9iT/agmoPbfZ/DfBzFoc9F3quNVIW9tqG9Ave5tLFRYIaTnePKFJvCST78H9OAfQ1YNopJLTV/nKdR+piISWyw9n6jMZ9pwzlwS8cEfGwG7c/GGqQ5newGePS1n0wX1ea131nCESTfWs0SEpVuUUArHYtAEFuvXt+hXePrTGDBwE+Ijo3kb0Rzwlp/30iM/jHRZIon5mt5SHHHcUcV4o5NEQ5SSwBH2I3hAXYGBDp9sYeRJBSHZmZQiGsNWmvAgMBAAECggEAQwCoe692ET5bNNQQCLqnE5nyT11OsxyOA1UoBMBagqlVVOlOpuSD7FMKR9EsfGEpoCNvxmUHoFETPzwP9/aZoy4iU6KyKsq4X5Ax1vLyAzCGSaTO9pwP39Qhyx5unnQKZrY9ofdmVPvQ34gIsyIIq/9MQ+inQGrFY+8+sN6Umws4WRdqpDSDkIR3YI2lSGvzWcB4nPp1EgnZajnwSm1H4cmVtDQjJv1fRcSiXqjJp+uH8w20ootLfn55QCglawu3jX9DA14mLxoAqtsEx3tdBPIM78byucozpUDIWtQF4jFOmUPFngieluiHqjCR3i5YLLRYsW6LmO0ZpGK8KHnmEQKBgQD58I6s172fdLowvqU+5CiRng0vP++22vnjx7nVLzjLYGVPTgEe2hguvR7DhxCFHk9Vsz3DQ7dKn0b2ga2An2FXiD2mayDoeeab2fV1GP7Hu1Rj3JTdesdYLNCRurebyHgvqgwJh+t+ws3WOCoKhkafceT3FDaSUFOusb+A0oEuKQKBgQDkdNOxSFKA/iHFyVcvODHVcayBjdvJHvetRs1U+GeH7V8dgvkY2aAs5Ami4zTT1hEwA2hva3od6ijaVaBaqPhmdCaR/WukTACeKF3oY/xshrR9V/kkSqRXGN1a2y0HHNN/TLeo0nGaXlTk8fEbklARFh7R8SMIEMkkm4n0icikFwKBgQDnfiLne7qpodeBplIu+euJU7YqeTFxT0f77NT12xLja5jp5vmqtZ2ITKndt49ZfEVGvwkJfgKaHwP+9QTaCMSD6jAPn1GPgLhSyYFKv6fbHmp/Q6KtsDZKONfE4geFRhvrKbiUa0t20L8NFl/593wZ2ceUASi6Q6P+Pat9iXsUYQKBgQCZX41XcbRiATrvLBKqEtHx+BTWDUTGq1GgNO5Y40OuT8ARcgKFmmUcfiOyBVNL/GUhlMgiNUeQmcm/esji1JmfPs8+J6KCdLvdckBJagbnXTADDnKm2K2oA3toKcj7A3FB/2E1p8K43iekZIF3/yxdrDoYvAjGu24uc3WUhIP9FQKBgCRBSpD+RvVq8l3PhVn5zxrLUfq/uedTtrqvdmsoLdteLXp4+D9CN6XlvHLwHpkKuWn4bq047ukKQ/xMyNWPWeYb/9UDWpaTU//DYSTOeaOtwX/goswIEUh3ciNvpc/ycaH6W3kl4dRMCcYtJEUmHS1qgsKaafKJ8+5IdCUkGzWW'
set pki certificate client1 certificate 'MIIDsDCCApigAwIBAgIUW7CQ38+tpuQuf7MOjLz+JfMS31cwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzEwNDcyN1oXDTM0MTIwMTEwNDcyN1owVDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAcMBkRuaXBybzENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM+I+gkuWqai3Y6lvbr8Ur4AHr3YpVAAEoDwTcHpoGndIsAeYzKN97ZxPi0sZfsa0GWsne37oyk3I6Fg5PZ2YiYjf/3HXH1u/MSlOFh7eiefE38w07VWFIJfBE7PoQA7xGupN5dOCw4Lcrx4ikw7E6nokpm8X+KcIMKb6yLzGtfEvUoTRrr61mUpglUpn5cK8juQob3t4NJ4UBm+kXcpGth5DB5VtRIEp9NPHgtUm0G1TFKsGFGChb9Dw02cfhLe9aJDpUHFPtLo9dZOI5IZXTcGj+ZEFHT8L0vCOQvIAlHNgWit4NmT+3NjD/R5AeiIxPK34Hc3WHnrZ0b5ign1sCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFBR5H5EQAoc015uVNxw9S+MjwlAAMB8GA1UdIwQYMBaAFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQCVBAggYFrEcoH04shxAh8j1dfi35K/Tl9wZ1i/NxLG8kG9vpUeoBAYV+lkyBsR7hM6y+MO1gT7VPrgtE+Q/UMaWdYvzBuqbdSapoGeZp0ijP5tyJQEre7J3mne7YRExgv3Q38EvCeuLeMc8DVcH0jN5GQEXG79nx1y1uumlWNTjpiXxIlsAcGEwxMBNpWmKnTcMtSVrrbHaRgecfBLu3huuJsRrCQ9BWyDZQfPSf2Oo8T8THaN2l1JITK56UmGWdDL+V8LXT1uSHRZsATpeCGCSaJQdaa6107HlstqEN42n1g1tOMBrc8eXN9YE7Jzm8xbNJPBRg9V+Zd93XyhV8bF'
set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCjDPiPoJLlqmot2Opb26/FK+AB692KVQABKA8E3B6aBp3SLAHmMyjfe2cT4tLGX7GtBlrJ3t+6MpNyOhYOT2dmImI3/9x1x9bvzEpThYe3onnxN/MNO1VhSCXwROz6EAO8RrqTeXTgsOC3K8eIpMOxOp6JKZvF/inCDCm+si8xrXxL1KE0a6+tZlKYJVKZ+XCvI7kKG97eDSeFAZvpF3KRrYeQweVbUSBKfTTx4LVJtBtUxSrBhRgoW/Q8NNnH4S3vWiQ6VBxT7S6PXWTiOSGV03Bo/mRBR0/C9LwjkLyAJRzYForeDZk/tzYw/0eQHoiMTyt+B3N1h562dG+YoJ9bAgMBAAECggEABENXDl5K6PFTNF6rBfrQ9i1G/pXdpXvCc8VJ2z0sGafZoYCgDhZBV9KAp+7yxtgCq7zyS7vlipc+7qohIH+n+u4kNkWczIGMl5l2SgfAPCdl2840LyDhgxkhUM5kicc4achJoYh361YEkhV1cpeoPC6FrZ1mYr9Z9SZfQwqinEBbsOOej520epa45WVEXNFZztGGV57Zb7565z3Ajdgx06ZT6Z7eccgfvbKbrGUlsXAXAz4yfW4kAqK0AwQcs/PKJ1f3RCEqqYS74s24lhBzGoAr8V4OD2IW9e+f996jxdRrswBO/WSxAMfkiYx9aFfWyxIBVlmDZfI7ALyhdY2dMQKBgQDmAiMH4+dcsvB2VKNzzBXzyPgICw0tQI/zpJFTadOl+WYomlKWoFkumRLyq2C26f1USvND98uYnQUjNFN4DHuNYLxYT58p1UzHMedm3kq0BGp4j3Ba861dCLOemUMlE0gyU51z2rxyQ+BpU8s00dWgaWOrMOTIC25FR4T0xmx6awKBgQC1edRXngRFyYBSH8ahnI3co++bnDMQi8wjtVAeIJTmF1Jq2QkIQ89z7GBq6YYuPpRF58y2XN2pj0QxqTdBTV0YbqBlChdcBPROoit1C8UExSL7WtzILFZK3utyoBmA8eBZFiN751oOoqloxgrFJ21ECDUFSmTRSzpzD4W/qvmK0QKBgAWa1bmyfwfOQHfRti3zMjG/mvOvOUH6Ccf5IaVztbmcqzWgFRUgkSvGhSSusmuipg6wyN7GIgr1AJQMCWCqhTQ7wDsyrYE6dmWAPNBP6Ggcl2+apzVALOBQfvgFahJ0NtUrHnIdSWxLZSOL7C68UkVXbBtW1KxfQu+jP4UrdKdDAoGALxlUa/z93OLkI+xNUApiox4FBNzwP94YeDgJeBg6rNDmugZkGroGsG5rw7Oh+ISTVOVJMxc9DFG7gCwLxC4A+GNVy4Nn9qDuiy35m2IXmxpS7utxG56uMrZSYyh8FgQwls5xHSo5LE05LJEhoHOQHzUGFb5uFgexPsWLj+ge5dECgYAWoi5vKCJWm4/t6A0W8HCEPCBXO7/MIeA2HrZ7ofrL6Bp/fDJSWqs10ZCcPVoy9sdIgAI1blHGWosLE9bRfx2DKn44igdCuSho/xJXhsjyJTpArD91UD7gdeRkZ2GqYJi9vdI+TBI3PsvWQ8F+jlShSD1EGmPvqF8twBaB71PMdw=='
set pki certificate client2 certificate 'MIIDrDCCApSgAwIBAgIUXHMRePv7otpZJNn8BFu3nozF2kIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzExMTA0M1oXDTM0MTIwMTExMTA0M1owUDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7VXZpMkr/Rnd+q0opUR4XNdHaaa2tH+ZVqt97gCIowjAYXJWY9RoPkmpl3DageLED7Rsk94oXjgXFkM05sUjfNytsD12Om1JpyKVD8FFtCOvB790SV4L6KWwSLMfUlzlqCeHnUzrySjLL60MQSBpzGl5o954l51wG23tkWm+QAk73K+gSkRDy/EpalUupqbikEdZRCZH+2ueqAKiBm56lr90f5pzJ3r9hU7+7W+ZYxPgtwL4mZbL/U9vNDGA2CXy+94Tibo46gNQam+UvTfD2vIocaMOVPCK2ifN2gTyCLxzSfeN8zMnQTixvYKjlNm2OZmXy+/U8FsLEA7S76jG6QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQURMwJZKBFhwtK5wWUwKbtIaFsD3gwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAGzOEpY/Z33V3lbN9/9MxuO7ktQuKnr0h+DHLzjjisCYzVNrP4s8bMdQFk19Xu+OMef0uMaMwRZ/hMoPTmEaLXDTyENTflWWZn5K79jSsqVPt0HMThuoZAX9PFc3LzRFDv5zCII62kiBUMiPZH+J+fKMCKd+ObiYoLJvDUaJzrO4Nk/vSHWkEE3JVeqRyWt6oaNtCkvWw+HQZ9Qc8nSO+tTvt6daftHqKCE3ORl3V1ypXHjD0iKv1lUafdzwLwKdxZNXYv6gfPwwzAthBslT5u8ckFfWKLsqkEeQKNusiqjXieMvoJfoCD7EFY3WPqmk4DXSHUOpvglt5Xckux2wuTQ='
set pki certificate client2 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtVdmkySv9Gd36rSilRHhc10dppra0f5lWq33uAIijCMBhclZj1Gg+SamXcNqB4sQPtGyT3iheOBcWQzTmxSN83K2wPXY6bUmnIpUPwUW0I68Hv3RJXgvopbBIsx9SXOWoJ4edTOvJKMsvrQxBIGnMaXmj3niXnXAbbe2Rab5ACTvcr6BKREPL8SlqVS6mpuKQR1lEJkf7a56oAqIGbnqWv3R/mnMnev2FTv7tb5ljE+C3AviZlsv9T280MYDYJfL73hOJujjqA1Bqb5S9N8Pa8ihxow5U8IraJ83aBPIIvHNJ943zMydBOLG9gqOU2bY5mZfL79TwWwsQDtLvqMbpAgMBAAECggEAY+1NHWIsWL0u5tBIeEk7ak+j/Dpa2+WLoN/EvlRQM2DIa18SO6cfmvY15xL3lU9uoHQlcR7NHVp9cfyrBe0EE5rwsG84W8JPDAV2AHOuTvnlRJxaMFfeKL62We29JtcBRQsbwOG1tvUrk6/HJJaqpQvV0OanHKMHpCzlJWAB4ACTtGJ2GgwcMnzJ3mKjBZOH/k3HzK7AnUeEmJq/pTp1n6kXwD7p2+GzwZkTzSi70r7LDWOR+i9R0ly6rkqTUoyWZCxTptVy47bCpdQv9pyCA2sPPUVGlXxM+WxaF5kvgbTKqesvDOqFdubC43VQcKdwXL/WiVp4OsrGfFlO9/8GZwKBgQD5cmkYxylCk4LeCwtNJzfwFjVQYS+vWjRwnbi4clhhnMBJLe4cGloybPvejnGxWDGE3v9dmeZoFBh1nkILathoZhclgeh9d1GkgioDxnrjbdz7G6UGBtLX6esPra8vZn41Jq4NgvXCGmCZr1QIlGfPZpPpsKm6MlqpbdHpGhsauwKBgQDzkfyLsQvCbdiwz7H/vZjbm/VzGwW5omNPRW89AcwG6Xw/+0w2408Z1w3XuJWzf9OdLeLL8durg29YTMsgc+ea12/X1SA1e74tzloP8o3L7ZSpvXgj5haDjlB7D1OADyBVR1rg+/tyYKoR68BOP7bbXDK5fjIVLrlAoxH4JrkEqwKBgCeYjKw9OQRza+uZLzMRDaUTsWTP+ITKOdbCgobsx7C+9BrpqolVeYnVmOmMDOoMyNeBmmGeQ1+0COnqtCshy7ZOtk/i3ifEX/ZQHyE4SVt+nfxSOBDL1n4liIWVmWBZ0aDYQfqtFhu4mirrFNjDzfKzIrmOrHJ8+b05TH/HABRvAoGBANmbSKyo3V+0cc7tkBJymjlBqdVPhBroOJ9e4lX34Acg3G/xHJNBG69zUZuz/pLilfWsRB5/Ewm1oGmcGjIBOx88cGC8uUzvI+aaoB31Tretp47KhqZT7zNTlxWKiMg1O2bVHB07Itd6AxeFr0Z5Z+2s/mh4lVgVaU6VIf244r2HAoGBAJNwTg2srlQlBr0LiUy0ij8SsdbGSsIwVymMuuFUFt7Z2PE6e6AGG4jOBFJzW6iSbkG2+8GXRrBNMX69nrYfrYNMIjO1P9PGRfgbM8nHUnPW3PlB4KYEzxChkUYu5kbVm3EzBjlM66fNrFP86SzExLj5Pqp2CrfXF2nnAC1KPffV'
set pki dh dh parameters 'MIIBCAKCAQEA+1eL8L4DAmniAvmBG1AAgHqCzYjF7zt+ES+L2reSo4RFRcqvZ1zWpHB6wmB5KFZ6na4qhyHbqfNckK2PQnqI4fSvahSzsxY9PaknzPiXM+Oyc8Kqw7VSa6ywraTDOwNMfoF1UxsT8ISo5mmeSmzGXtxHwjlkBOhJU7sdjImbiMJ6nhxTx1+GoAU3V9LxgwFLeEZNRZRfflJU6SWmLSMf6mDaTYVPym5DaMoam+/cGVLquEnXFroc7CeSJQ8QLGcKSUTiw1j7QRFg5a47wVYH43+8uKHHIlWmGfmY76Kj+DYiO3LE52wOeeiWafWRPR5PtqbgBEJIiBmTgfOEAyPIFwIBAg=='

We want to revoke certificate to the client1

vyos@r14# run show openvpn server 

OpenVPN status on vtun10

Client CN    Remote Host            Tunnel IP    Local Host        TX bytes    RX bytes    Connected Since
-----------  ---------------------  -----------  ----------------  ----------  ----------  -------------------
client2      192.168.122.15:56988   10.10.0.11   203.0.113.1:1194  5.2 KB      5.3 KB      2024-12-09 12:52:48
client1      192.168.122.199:36649  10.10.0.10   203.0.113.1:1194  5.0 KB      5.3 KB      2024-12-09 12:53:05

[edit]
vyos@r14# 
vyos@r14# set pki certificate client1 revoke
[edit]
vyos@r14# run generate pki crl ca install
1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
vyos@r14# commit

DEBUG: systemctl reload-or-restart openvpn@vtun10.service

vyos@r14#

All clients were dropped due to restart:

vyos@r14# run show openvpn server 

OpenVPN status on vtun10

Client CN    Remote Host    Tunnel IP    Local Host    TX bytes    RX bytes    Connected Since
-----------  -------------  -----------  ------------  ----------  ----------  -----------------

[edit]
vyos@r14#

The PKI calls openvpn.py script and changes of crl write here https://github.com/vyos/vyos-1x/blob/6733ebcf129193a373eca870ebe5f2d6d65b9476/src/conf_mode/interfaces_openvpn.py#L635-L638

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Viacheslav created this task.Nov 19 2024, 8:37 AM
Viacheslav triaged this task as Normal priority.
pasik subscribed.Nov 19 2024, 9:01 AM
estelle.mathieu subscribed.Nov 20 2024, 2:12 PM
Viacheslav changed the subtype of this task from "Feature Request" to "Bug".Nov 20 2024, 3:55 PM
Viacheslav updated the task description. (Show Details)
Viacheslav updated the task description. (Show Details)Dec 9 2024, 10:59 AM
Viacheslav updated the task description. (Show Details)Dec 9 2024, 11:04 AM
Viacheslav added a comment.Dec 13 2024, 4:08 PM

Some thoughts.

  1. Initially, the server should start with crl-verify xxxx_crl.pem option; otherwise it will require restarting the openvpn@vtunXX.service when the first revocation happens https://github.com/vyos/vyos-1x/blob/current/data/templates/openvpn/server.conf.j2#L179C1-L181C16 We can try to add a path to the empty _crl.pem file. Is this reasonable?
  1. We get information for the CRL template from https://github.com/vyos/vyos-1x/blob/6a7766ec1fbb73edff908db9a7845941a7bf0391/src/conf_mode/interfaces_openvpn.py#L635-L640 (for each interface and its files) only if we have at least one pki crl. If there is no crl, there is nothing to generate to the template of vtunXX.conf. Return to point 1 (try generate empty crl.pem file)
  2. We should check which script calls interfaces_openvpn.py; if it is called from pky.py (as a dependency), then we should update/write the PKI keys and not reload/restart the openvpn@vtunXX.service. Ideally, also check that only "crl" was changed in the dictionary and nothing else.
Viacheslav raised the priority of this task from Normal to High.Dec 13 2024, 4:41 PM
Viacheslav added a comment.Dec 16 2024, 10:43 AM

Clients cannot connect with empty crl file

# vyos@r14:~$ sudo cat /run/openvpn/vtun10_crl.pem 
# vyos@r14:~$ 

Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 VERIFY WARNING: depth=0, unable to get certificate CRL: C=US, ST=California, L=Dnipro, O=VyOS, CN=client1
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 VERIFY WARNING: depth=1, unable to get certificate CRL: C=US, ST=California, L=Los-Angeles, O=VyOS, CN=vyos.io
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 VERIFY ERROR: CRL not loaded
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 TLS_ERROR: BIO read tls_read_plaintext error
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 TLS Error: TLS object -> incoming plaintext read error
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 TLS Error: TLS handshake failed
Dec 16 12:35:23 r14 openvpn-vtun10[5367]: 192.168.122.199:58108 SIGUSR1[soft,tls-error] received, client-instance restarting
HollyGurza subscribed.Dec 20 2024, 7:22 AM

https://github.com/vyos/vyos-1x/pull/4245

HollyGurza changed the task status from Open to In progress.Dec 20 2024, 7:24 AM
Viacheslav added a comment.Dec 20 2024, 2:22 PM
In T6896#210386, @HollyGurza wrote:

https://github.com/vyos/vyos-1x/pull/4245

"Good" clients cannot connect after revoke, I added some details here https://github.com/vyos/vyos-1x/pull/4245#issuecomment-2556848853

Restricted Repository Identity mentioned this in rVYOSONEX6f649d39463d: T6896: OpenVPN change CRL revoke without restart (#4245).Dec 31 2024, 10:48 AM
Viacheslav changed the task status from In progress to Needs testing.Dec 31 2024, 10:52 AM
Viacheslav assigned this task to HollyGurza.Dec 31 2024, 11:51 AM
Viacheslav added a comment.EditedJan 3 2025, 1:47 PM

The issue still exists, other clients cannot connect after rewoking
config

set interfaces dummy dum0 address '203.0.113.1/32'
set interfaces openvpn vtun10 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '203.0.113.1'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server domain-name 'vyos.net'
set interfaces openvpn vtun10 server max-connections '250'
set interfaces openvpn vtun10 server name-server '203.0.113.1'
set interfaces openvpn vtun10 server subnet '10.10.0.0/24'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-certificate 'ca'
set interfaces openvpn vtun10 tls certificate 'cert'
set interfaces openvpn vtun10 tls dh-params 'dh'
set interfaces openvpn vtun10 tls tls-version-min '1.0'
set pki ca ca certificate 'MIIDnTCCAoWgAwIBAgIUEM7yVor1yqEGlFhc0Ive0VwZXEYwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxMDE5NTlaFw0zMDAxMDIxMDE5NTlaMFcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgDg/Xp+MICPo+TBi78FpfONdv/GAWT1z8G3xJPQio2rPDANosqrdZe78uLQwE0R0wvp8+hNeY96gCnlezSe+E9+R1DqXzp+y5vC7JtuhYLNGwIHPLeOyjxhsmND6L6fbq33fZ1DhRkFR6AyK8sWjpW8J9rG/xW8mGAX2FLI0vIOlLcWoaDCudf4CEIFI+ZdhpgEe/AohexlMAPtAj5/S2Q7lwi+475TauDlCl174f2PaiRTS83hhDhsAALwhIPmCo2No42e7rUY4Og7Hs7ltw0DldVOXAXoyo9Q3DNdI2Lb6ds9itKIjaTIlA2wf9oDaS8oSk0w07jaDaeNGHbhqDAgMBAAGjYTBfMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUOyfYMuK9keHP7j2Je2SZQsU7b3EwDQYJKoZIhvcNAQELBQADggEBAGeI9L1s/pVAfKUEXZMPZ4MGjootRO/IeNzOzKNxL/d3G6fYQYAHjRD48yISY0P+xFRVTN2PDkYJSIlplairKPSu+N95iL11Tq7Ce7RZZwICGpekV80ESqCq6W8l73pqxmmFw0NE6LreHIyv7mQYOcCz2WL1SMUbOsYhiSO1stOg8Wil4lj5F38pGfCWYsNk1QiFN/YR8Ry2SaiqQyH7yIKTY6T5G8xijYAxnb3uFIuRoFRF+tsuHqihZ4L+c1F3B2gMPTZqeM63Sj8MaxfUbAereEtqCkbgCZlLi7TXzwklDSYyFSh6Qe2PusptkctNnFXCwo61kf91iakfo92pJVc='
set pki ca ca private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCgDg/Xp+MICPo+TBi78FpfONdv/GAWT1z8G3xJPQio2rPDANosqrdZe78uLQwE0R0wvp8+hNeY96gCnlezSe+E9+R1DqXzp+y5vC7JtuhYLNGwIHPLeOyjxhsmND6L6fbq33fZ1DhRkFR6AyK8sWjpW8J9rG/xW8mGAX2FLI0vIOlLcWoaDCudf4CEIFI+ZdhpgEe/AohexlMAPtAj5/S2Q7lwi+475TauDlCl174f2PaiRTS83hhDhsAALwhIPmCo2No42e7rUY4Og7Hs7ltw0DldVOXAXoyo9Q3DNdI2Lb6ds9itKIjaTIlA2wf9oDaS8oSk0w07jaDaeNGHbhqDAgMBAAECggEAF7cNrOAA2StvXLSsw4gQ8+P5s+ualyOqPOabq0RiWJaTJRUmvpCK+zTFNoPRMJOFdjgAY2SOh2lGmSC6EOQnG7YZQSjq+OfMQRb7fcLeuVXmueiND7x6n6eWVTpPfC6t+c4jtYBm2dr/UVbOmlPVHiKM9k8LBSGbAgKNhSJ9RtqnChFmG8SWFMS+0dPkiJNIOijeDGpfg4ywzr4VVwZwpx2wE75Viv9R3BlCoT1g5h+muLosquf3TXRhFSOviMGeY2jmbUYj23rWa75CdSFLHdOazn0w5eBA1f1DsxhaO1t2YUsB5X6/P8IXH4u1/N1EL9oc6tA13Yfsy2LoRkPoBQKBgQDLkf9Ze73WTESHbBNWYlz0s1AKjRxn6fCURXbUKlXxapAoZM3HpMcSqv/wk4Jn4ywU0GnXsfuM3U16SIHQI4HlfhTmi7xhBeX1Z9Py25alqzUmOgKIP+SCdL4D4wQoYgPkrl+RJFf1p688TUX+LPlXTB6GimhMjB7xgR8NuGVRDQKBgQDJRvcF7HfA/Q6kFXYmfVspPwYyiWaH2t5NvRdBnEbYvnb3NIQNRdtTrcSa3/CZb9GSEwDNTuKk/KW+KEewo1rQlUdFdqkUALAajcFdaHrHoTtcDmBQegbklydLdTywEkHFCQlMJd6sQXzPoV90R+mOe8VNGj4F1GLMvF2VU2mVzwKBgCSr8lIOZo5aQuYaZAllwtUaEEs2TG2zyPEM6nEiB0VsKvf74M4cMvh78YtHJ3DLjb9aJBcFKwmfPDvRIAF8xAOxiNZXSeI4i8p/n8DaKfNCOlrejGI7EFEn8qsElFUqAwWJHBIrd+T7BihYy0kUlP5S6hTWjh9sBo7+8bcpBqdpAoGAYak8PLSTGqHu07DSJjTW4bmB0U2X4T1SdhfUy/H+8jXgVWw20pXdqMl8xsT34gs+fYkY74ViNTmdVhoHRu7MJr732P2NZnY6/HdhpmgGgwx5V95l30aGR64L0/IroycIoIkU6MzLMXuJCtm7DhnCem8VuaaNB5kY40xWgBj790MCgYB7NReJ51s1NVPAd1uFqoYGIHofP3WdAUEm5zp760cdLyYD+ykIcYK1/zPYg7MJwZUbuSQ5Vpm0pIybdJMtANlFWS58k4+UsSEPa7iiJq1Qxfh/jYcD3OZt8ATN2fPRdHIbOYT9vvmVrvV9zXk4dw8psHHECI4tptzZfJMaQnWwbQ=='
set pki certificate cert certificate 'MIIDsTCCApmgAwIBAgIUPhcFXExt8ucOIYhckFIXMZdcaMwwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxMTM0MjBaFw0yNjAxMDMxMTM0MjBaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqzQvUpzezEJdgpv7sOvHO6SMRctcLf/MpbqP/dhp9eVGUoE5JjTKdUAIFmFsQYzasONW0eaLYlmtjyC2n5hP6ubQZTyiWkShOqC9g/aNFXBrYJjgitslV6pW67e9byNoZAiZHYUY+zFGI3Hf+CVVOalevEdLdB6J23FVSquoN7uHjAlhJZE3vIxnQCh/2ZZ9cH/gx8/3eWELh8RacxN5EnxxdZL1oMg8jbRJSifQ4QBLGVtIXEz148WXlY1oleJ1TZ6B9YFfT1BbtrCFgjkfqFxyVxPx37bH4ko6Fp22sCppHl7o7UZQ12uVgAGP0QBIutOmzUL4YxQGY5KPUGBfhAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBRHMqRc3kpnlAKef/BRehUxLnShHzAfBgNVHSMEGDAWgBQ7J9gy4r2R4c/uPYl7ZJlCxTtvcTANBgkqhkiG9w0BAQsFAAOCAQEATxTz1V4UoW61bQ7HLA2vq3bE2R95IyaTOeW7HCmDSTuBSJO/9rxe7gSIvZEm9oQT/sgPJ07EaeqKHKxPE9FIBJDGQVtPSu6zQ1DHul698mKa+01VZVZw+40mtDMhOaZgNHVbqxzH4jIHw46sJyYdPiCcF5leBqDUA/TwRQux+UOq/fyBKtvwsiegmKWq3BgVSpC2MwDHZ+FIvQx62quu+b4g7e/wcwSxK1spuxa30m5ab/T2RSmFwnHBRzaO2hrdgLztXDuJ9YHaVYR6dNpZ7/itkRo1jjIix7jQK1/4Q6k/96Lux7m6S2qdOJxmql9dDk9t9fqfuZtgRTJ1vUDrDA=='
set pki certificate cert private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqzQvUpzezEJdgpv7sOvHO6SMRctcLf/MpbqP/dhp9eVGUoE5JjTKdUAIFmFsQYzasONW0eaLYlmtjyC2n5hP6ubQZTyiWkShOqC9g/aNFXBrYJjgitslV6pW67e9byNoZAiZHYUY+zFGI3Hf+CVVOalevEdLdB6J23FVSquoN7uHjAlhJZE3vIxnQCh/2ZZ9cH/gx8/3eWELh8RacxN5EnxxdZL1oMg8jbRJSifQ4QBLGVtIXEz148WXlY1oleJ1TZ6B9YFfT1BbtrCFgjkfqFxyVxPx37bH4ko6Fp22sCppHl7o7UZQ12uVgAGP0QBIutOmzUL4YxQGY5KPUGBfhAgMBAAECggEACETh1R9s4QqVN5jSJ/PxG8o5+Ejp7By7VCbPAgnQ3cEDP/m0XJd9SzQxyt1N0FjrT1J3lzOZ3JhItfWdrz6iej2mIGEOlx6LN+ao145kCpI7WvpbtqOIkxQmwFxvXY9XbsVFvugw1067Rk/dL9N6GbAok1lervSFCzHe4CAV8YtqPkYLFrvQcX726aV25ZQWxrrn3kT3gG3PQJFPmSxy8UuvxYL4u0VCymSO6GloZqDpqiyzffc4UD2Qm2z2q/s6oB15rNesfh+Pv+RMFVixnj0l+u2+cMqUDqkfwKa8Q9LNpsd4VOodOr0t71xqQ9f/5gZDew1LHq7JdrqvlRBWqQKBgQDhkTwTN96n+vBK0baO6ew/wDJdjMgmKXdasmwzHb6QlHycOMinxi8tpF8FLsZCCTP+NdMEAXOZaafWTX3n/ttlBUcGUZFbjMo7ICkdCXwVufmL+4sgk0mdUZJaDUipK8reuAUm8jWwMAWsRkY+pTcVSt01jcG/h8DJH4RQY/enCQKBgQDB2EL1LdmV6cHg7TYQJIJM/uw25Um20OvdiQCnjJ21IqUkgBXtiJivj4v5hAkExVsv+ttk5kZ5AgjlG+ZJBD2e/PDsxA0VxRKQA5tI3pkC+7MqWXqwXxPHlHWJVmnO0E1UddWs3JLBu9+OhXZcb3BIuIrm+31zs4bGiXsWfcyIGQKBgDI0vFVeux1Sekd89BBNOrtZ0RwHaMkts5YpXnHmLfNKSY4QCYFmWDvleQzTQ2eRWtQ7MLOUiyFbZfMKHnsTu8t5aDyczSi+ZojQeLYw1UCUu1mP7ICcp+bvMA8BI+obiDUYanUnthF4LtsQbTQmW+NOXXw9CCHUWnGppS6rgYTZAoGBAIbkncPMgkwGfXqu2B5nqZ03EN4qtR9ZR6nEewYdnmm8kDtUPu4rTkVtmTSrozMEu64p3Z7beFMhDVuSDLDnGJKY5nd8/rYVjBNXzynobYZb7ZQc7Hnrz/Hk594ImlznK8kIrwc5/4591NZzHai5i+OvOEoA3I41ciaa6WL/a+ORAoGALYaOwIsXMDOk4uufQSy9miUrTjy2vFaELrbmSbweZwHTJxm9+iAlWRh1irqr1ZRLJAXhn8mSuSM/iNlO21oImARWma3643DBDM/d+QSTsnmTBvfOdSDhALnYqRHssG3mrk4Lm/CJnRjAk61h2NqVlScG5dGJWYbgRS9jmxU+/Wo='
set pki certificate client1 certificate 'MIIDsTCCApmgAwIBAgIUB6AXXvOGQ3QlDkaeNbnjUpZ40MAwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxMTI5MzRaFw0yNjAxMDMxMTI5MzRaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCLFI0qyaF+wv+JsAg7z+y4Thm+O7JkI16ipw/W9TSbvLMlFu6VuCOx4cw9YpVMIgrq1GBd/sPpWGfRQ/73tsEC/9w+BAld5P0C6n7mWFquhnB9gSY+zB6KdKTKs+anqln3XEn8wlx97niU6JzI1VlRx8qBZd/VWn8a9ee4OwafWaoGgL6412RrcKncMybYjUmqLlOjFm2/J8eWw4dDKifZnlpqXdIFMC+IM/eMBpGaldvclbT/TG/7wtQgUAjr9d4JoibkqtffseFUx+CpplCx0XKeDGTrYN4bHFbMCMv+/YW44JLX8cvphgSbDVFzXkKx6AP2dHHT+CoDgxSShKGHAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBR/fRAjqFP5WPxK2Zqr9FTP2jYQmjAfBgNVHSMEGDAWgBQ7J9gy4r2R4c/uPYl7ZJlCxTtvcTANBgkqhkiG9w0BAQsFAAOCAQEAIF2g3e341zRqalRnWP4jgSkhhZ7PGOfuYMyZqH8T4Y1j921IkAsjx6navDs2zX2PDHXamY44X2VcZLOyfXjpTzx/wqUDbQggdxV1XhxWUD+m0r2RGnm2g103DTTrXksZsCWF4Xb9FCqNzcfL2S3JBLYbHp2YVlFFB6iJ+2vS/0b9VuHYnq3TUGQyUaPbKkmjK6sW/+Id9dk48DXXob/L2uizKSzj90oNrI4mRKm+S6hDCh783Oq6KU3KcU5DBt5swJYmLRyYE+uPdPiQJQO8kMj+DTc1dM1rYldYVQSvTRjsGBjvE237P5qWU1G4rUEd9H1GmnNak6BC3+X8WxcJtg=='
set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCLFI0qyaF+wv+JsAg7z+y4Thm+O7JkI16ipw/W9TSbvLMlFu6VuCOx4cw9YpVMIgrq1GBd/sPpWGfRQ/73tsEC/9w+BAld5P0C6n7mWFquhnB9gSY+zB6KdKTKs+anqln3XEn8wlx97niU6JzI1VlRx8qBZd/VWn8a9ee4OwafWaoGgL6412RrcKncMybYjUmqLlOjFm2/J8eWw4dDKifZnlpqXdIFMC+IM/eMBpGaldvclbT/TG/7wtQgUAjr9d4JoibkqtffseFUx+CpplCx0XKeDGTrYN4bHFbMCMv+/YW44JLX8cvphgSbDVFzXkKx6AP2dHHT+CoDgxSShKGHAgMBAAECggEAB93quj/bdasb/zLI1HFHZ4lrZVpFFer2QGcIu1T1W9XJoFBywF9BDZ/DCLnZzgui6HOI2+g8Nqe8f5bEBkj9E+lbENrzmK8KLK8M7ISU5IhQNpkmi6jKFXTRmXGhm1xEaHx85uIrjyf9BBdAPw/qVHjjmHwltBDBXcoJCF+2WS8I2JYmtWdHqtqxgRNF8JTsTudwrwMzGvopmj/zr7cESkZRy55U/wRrx4ckvh7paW9tL5a7rfGpIn+88LGe24IWD6Iczn+0QbpkR1Ve7jvE+uizcvklyoxPtIenseOWiW68uNEXiJye7S84P60idMDt6wijCrQz5P5NpSK0tX+bIQKBgQC/0bVGN5PPyZx7XJKD/UZBAfdAUptN6hHCsgTDesQ/FG3/ClD3vD89iVPG9GvXagWY+NYIhaopQqLynXrGJ0LdkdjTp381V5ZFTq+Gbux739IY06PXiUxTqK7HjYcWsPH6dPqI2fpS5d5NhWM80fXmAWE6sT2iLKpv1oPz4nCxFwKBgQC5nXzcmfzcGTTFD+f4+4mLd0Ufb/rOMWYWRI9lIGYvZaOKr0BlnvWWFQyBt72QqVuqMz2eM8rO5UMAWbRZ0zSV3GSJ0nCSevEjVBYf1Uy0PzN3GA7ci5PMVvyiIO4ZyJrmG6Z7IWIP2gCzo42ejFF1EdxYMrCFIDYiWtPFCHN5EQKBgBLNY492cy6y/Hu7H0GA2hoVLz9G2aJRh1wmRwFCT2o/fmi5giZGdYx6oZOm8cszwUi1W4WKVJumxIIznY0+2/cMDMzyZi28YCZ7CAmNZfDeh6GXXUALXUf2COvWm59FyPJb9RLlCvyFO70tjgSwMAJTsEwog3oaFrrPtC97ysARAoGAf3Mr8S2q+lY0bbtmRQgygZj71YJGbJ5uwouBCqccgx7/FJMRXLWxW8RIOim3+ETRtCRLAv39G+NABlWSCLuFOAGE5z2gHnRcby2lo2YKrRlYdUYHrlgIvB5eidSiqQGdmrMRtSpO8yN1p+N9sogWxpPlAIqNultL0HsdPgV3hIECgYBsQCa+eCrZr6kmOqTTDKM+dYMAoPj7RuGeYoyYXhF53rHtMlUTQdgxzLzS9z+dsEt+PrRNNFU54aG++GDweU+2bwbFbgPWlB76bO++SfGvEccwhzSZg9poiH99TE8fVTVMbm6dTk97uSDEanh7I72QhAL856qHJdfyD8KYxcpddw=='
set pki certificate client2 certificate 'MIIDsTCCApmgAwIBAgIUcUhRYCtFFjSpkumrHj4iVHnCjl4wDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxMTI5NThaFw0yNjAxMDMxMTI5NThaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7kAppuS3Ps3ROabYNdkJcfB2eeca6XTHhayfsgmk9HJI1AQ6rof1vCFMH4HaCHEFId72EMmRifUwDwQmvUm9MDL39xlNEiYKEbzTLiScyHNULpnEbVmMTnyaxQSU/Lqkj1nWilhlg3tP8JKv8Fm6AXmq0gLZVndlpMJAnBzvClXjZHcUGU7MgBU9AGg+ZJPquV5ILMqlTLrhfjDoOWfwK+vjoWnvb4IXfnAEmAAuzDPYfE5b/WMqMGJdYraIz9CzOLvRzFvAGoz6+tDWV7lwvvxwSF3YFUc+kquuHGIocKpC/HJco9yiOkWNOOkYhirXb/5essk9woUB858m8TYzFAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRRZ19Kdfvie1Ey2JxcbBBPfX6HMTAfBgNVHSMEGDAWgBQ7J9gy4r2R4c/uPYl7ZJlCxTtvcTANBgkqhkiG9w0BAQsFAAOCAQEAJLs8eyP5Uu9DZsayFErf/qFkcQJC52O0XD0vKol6uWaR+NxEfo15UJO1k27X8y38ca5tVjtEqJp8ZCwwqy/9AwZxUusXrvUafxhuKbalQ0r5AZaiNT2m8AFPFTLV5kf0ZIIh6qXukSkA1TI+4naV2UwSYUtiWfXqcUil1WKjr2NP97j5VWOD9j3oh+D4NK1yLBt5dfC9GH6f2w8F+qPfYVqaI7C4ASnrDm2yANgZvkhikeA7KaTZNf12HLBS/pS6nuizl67pWt9W52RwADvhUq0f8YZQEI2u8M2ZT7so2IXOrAibc0PQ2PNfYrYKKs/MCVVmvTGe8CWj98qcnSfJHw=='
set pki certificate client2 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7kAppuS3Ps3ROabYNdkJcfB2eeca6XTHhayfsgmk9HJI1AQ6rof1vCFMH4HaCHEFId72EMmRifUwDwQmvUm9MDL39xlNEiYKEbzTLiScyHNULpnEbVmMTnyaxQSU/Lqkj1nWilhlg3tP8JKv8Fm6AXmq0gLZVndlpMJAnBzvClXjZHcUGU7MgBU9AGg+ZJPquV5ILMqlTLrhfjDoOWfwK+vjoWnvb4IXfnAEmAAuzDPYfE5b/WMqMGJdYraIz9CzOLvRzFvAGoz6+tDWV7lwvvxwSF3YFUc+kquuHGIocKpC/HJco9yiOkWNOOkYhirXb/5essk9woUB858m8TYzFAgMBAAECggEABnbsEcGS9XB6XVfoMTj9B78A+yNRv1g5WrGcykDWBVTLKg4dRiEd+qO1nBt9oI8xjAcRSx5WUDOAjGiTP62xre29s2924AsO3cDcRJLRMDlgkzdrX18JqMJFgFQXrcCbJ8pBrhbj5qJt4AGx9wBQheNUyvl2T1q5BMnqgTRCODsFDt5PdN4WVxX05ybndDuR+QmAih7jFpeQTxWG3GEaC74469DkoqFO8B1SeaSDtf3e4SvvQmTP7WImdSyz9W9+2WKl1gI+h1rYZzD6avKRTCJZzMDW7LrdqtZWsmJnpbT12kptxhzFfiZws265Np20fHR7v+N5s1iF8U++vSqOAQKBgQDwNQTTpagQd2Mmix+RrGfrPCn7ryNjyYZEpliz0V3+L/jibGY7dSqIh2DpsWZe4G8LKlBR9YRi0XIZzUBgrbDcZ5efju7IGdGK51WhXsVTdqNdkWz2PorWidXou65yFg5OG+uIthNSUYyNoxaLbR+rwvVUzH/OhRpovepBieHMhQKBgQDH5PN12HLgaAthSzyQszrWnodZ1h4veU8tp5XE2tdEtQiKZfz+xD2tZVkgXhfd89lAbZ7/xsXcqwv3KTz7pj1jbolGlP60jPa46h36Lfta7KW/a48Em6Sn2t2KiGB6v4wmEkXbekNPLNehjI8kf4AKQtGSH1gtXg9VNBPgOPvTQQKBgQDpspuEkqnlg1HawQYwwyzDh2BNNsLWpc1U4wZvxCWPVPrux4nbFQ4RkKywEGFJs0817LACXTy0q5M4GSImLTZh6QNyQCx+T+g3HQSJoFuY7VbZhNAe7xBC1A1ihZ6d7mlyguVvt70qnJ6DeoVHlx52DJKFMwSxV3wvJX5QzyX4xQKBgQC/TJXOPuHZbtkNOJJyrIPvpvFDgU2MA11KBOqo5QJE57ePs4EGU8nu6mH8PvA6YkaUiRQ0Fgd/YlZmKBoLfxGa2csYODj1kz3+w1cC+QRnBLiu04GgWE+gsC16iX9DmZLHUI94Nq650+Fc4oaO2FIx/7ZOUB7z8+NamCc5W29swQKBgFtuqpFzDkWfT2xFPEvXjFtsCqCDYioBl0C7UqAv6KORROUZsgC0rmDQIdDDrWuAvy6TbNNUtLb2XnVX8FDQPBSsZPli1VpYEDUZNrDfmWLB7H04Syz/xydT6w2BEZHi3qtW666anx7stXPQT9KXsv7Q8Ri5b+8Cb5I3WpwbJS1X'
set pki certificate client3 certificate 'MIIDsTCCApmgAwIBAgIUTcUr6lIzzGbTnlz2UQoCW6QywLswDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxMTMwMjRaFw0yNjAxMDMxMTMwMjRaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxQKJBzBDDyyouQrZSYTFJvgCX8lcBForSUKzA0NVI9nK8b5JDyTvQiQLuGoZRz0xbU3ktjSmhhF+47zKfjNEhy8mXQcXFhzLvMPyAN3hZ6RUkMoEJyknrdA0GXqdmkQErgxABPi5odU9xHXrPSYzeiMeJrir9dUApPsQXhO55a9mx0PcnFxf3m8aZEJzHVPOHl55p263WWWL2BYjePNPHVP7xr7nfZapoJj6SbBUcpvkn7QU5bmDDmqqajD//eMe7X0qsjPMcUydUWlFA1I9COw0K6/BsJ6aixRHMATrqE/va/vcVkXYkN+9/2s28+9RlrH/uhigxfa9Es03kK6JvAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBRRAa6F0vC1vIXwHCUmeefEb3kLqTAfBgNVHSMEGDAWgBQ7J9gy4r2R4c/uPYl7ZJlCxTtvcTANBgkqhkiG9w0BAQsFAAOCAQEANwsOqHfQIYd8++Qu6+bRJt4s3B/OtdWKWBkOeh9cUUrclNCCNtG17bVrQQF1VcwKmoX4o3lfxSB4QG9u3vJPZv/2Sdvdv8p6HlljkoHGJHj0S0pwPJVrM/aKzDXu0jgORaNShaG4s+fGNnz/VHLAbIG+pG7A+k8z65vr1EhDCwJnN+rCPqmuvLjkfLWUTxpJfrMYCG66vgCk+VJHbdPdvfHOJxUyc5OosF+fLIbOxOCIoJLjxaIpi4NOXm/svLiZNnBk5YQAe9d8K0Mz9fk1Epot4ZRhS0R3gvHAxijwdEab8+Vp1Bm7/Oi6ZVg0XFf00lAe8inr+E+fl248+LK56g=='
set pki certificate client3 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDxQKJBzBDDyyouQrZSYTFJvgCX8lcBForSUKzA0NVI9nK8b5JDyTvQiQLuGoZRz0xbU3ktjSmhhF+47zKfjNEhy8mXQcXFhzLvMPyAN3hZ6RUkMoEJyknrdA0GXqdmkQErgxABPi5odU9xHXrPSYzeiMeJrir9dUApPsQXhO55a9mx0PcnFxf3m8aZEJzHVPOHl55p263WWWL2BYjePNPHVP7xr7nfZapoJj6SbBUcpvkn7QU5bmDDmqqajD//eMe7X0qsjPMcUydUWlFA1I9COw0K6/BsJ6aixRHMATrqE/va/vcVkXYkN+9/2s28+9RlrH/uhigxfa9Es03kK6JvAgMBAAECggEASo9ltj0Zv1FGZ4axr3MfVwGUUGGS1yC+5bIOOgcwq7yTCD7ZLv797/ywPaNP+O++0wjQzi2u/J6bMN4oQJw2NCI12vv2Yg5fRQJYP04lcXAyWv4K2Fo/DzhOIDZXuUC+YlK+uwubLyh2VWi9gFvkYBBYzunXmn7GxhiCZRxt0XNUb9ReD1ptyxt4H2RPMCt/ekejUhETH/Y6hhoYdfi6BJQmqsnDdT6TA2HlhXPz8hQKb/D2BY0bfarjo1wBQMFr6q6ga/00XREqptKx6OnF9tCr8ED0aVnFmOwU5mf1jGSFTBJxQkIwpodaZ53Lqj/IhWUkQYIqqm8J2ls474D1yQKBgQD9V0bxavevRuGDu5sAsGpn6/v3bvXVHx4uoVcNkLWYmU0UedouQQzSBa4vGCnduA9SbsV/Oc0BrHcMTD8g2cioK4YQ/mc8/XPQbq3Eq5LkBnYt0xviO71KypeKGXF7cgxuPBWQRhEMKLwU4FIjya8fKN2VqXEpyqOQwtSqQxTvpwKBgQDzyOAPAL2pf0lCAES+5eYu1tPOi11l43HmjS723MwSDe5+09EK8GgMAoa14WNlPboksrQQq0TDhIn5Cg+CuLrW0N0mAYUdG39UXpUMzLifuxAL55y7ZHR1Rz+jTtPfpMvrUe4K1TI6sK3JLne3rqnN/TS3It5nKqLu1W0fhZZP+QKBgQDF/jboqJPIvZm0DaP3ZujSLUEvwN2J4ZcCFH/njygNigoOrajRq28smNnn3neh257F6uKZKwBIhZRI3TIdJ3fFzrYpg9oFdYPU6xsNcJYNdetYpvvM1Kl80VabzIS/WIPUh0rHBat/GDreCe7IH3Co5pQ+yj0xzzgEA/CW3HR5UwKBgDI5il/M6UZIYRFl+MPTnY6817pP4Bgjuc2j/K8DYk+96wraHNFCIk2HH7XND6tGAlmZL5vXjT0yyzIxrmxiHqwvL8Cqw3/xsFPzgIW4j7jo0y+AsjuxQIUA/s1oaiJDU3fR01cMAWMyDzvJhQSkyXsU1Y19c5CRqivGcMrzvLoRAoGBAPrBwWFmripbU0sjQq8tkXHbwpUYxWRaV1VWh5n5n905VIcj4YUcB8XyN8Em4OmuSfKfWDwhLfjiiZ6clAW/nVqR/F35D5g/AiENjglZyRuGkR0L9ywJqWPceKibWJ9X241jv9WxwHE33k+pzx+IbGK5UAe9Jui/05nvZTUhEDzA'
set pki certificate client4 certificate 'MIIDsTCCApmgAwIBAgIUS1shCQmptxbFJZA91TQ4YbWx9OowDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxMTMwNTBaFw0yNjAxMDMxMTMwNTBaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQ12mL/gSwszYp9JPTgvrN+WMMxvC9nz0nG4gsoCa4+OeqRxBJba7ztkdoAJVIN0TbeUXPGDnosiyFqfkobLAZz00tEVGQtQtChKBskyiPkBAkoX1pvlxt7aNC5lfQy8GOqLTu8wQwbKBhrVzgm4fmFIo3bvv3n57OHmhyv/o0nJ7nYFdBpHm3N20C+D3qegi08oXidHbDtJsKZdT8WCTL2MoNulrg/1iA6wqMI5vi017znvhZ5ZBD5AhrzyzyFO8QDzsvSfpMmeik+TAGIDuRwwKF+3hZfZJjDY8ZBlwbGA8ZnzcB3P3WelAlAJwFx/Pkp5Gj7zXmfFhiL+k52uhZAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQTEDScqYF3dRx/EeyR5JGnvlkdZzAfBgNVHSMEGDAWgBQ7J9gy4r2R4c/uPYl7ZJlCxTtvcTANBgkqhkiG9w0BAQsFAAOCAQEAdt9jm/EZ7CgNuUYQOUjjqb+P+2CkBtor9J8xA+MUH6YuoaZDfX4HF4nHChAAttpvMJuBwy/iGr8VRiinacr7FYjZY5z4mb850ktZzRaNHguyJen62f7iv6pBFKMDYDEPZOnZGRlmODJBZ19656XUxWPeimxItIeN3S/jNcxPBGE6S//Ewzygz1kOO81pgnT6OcpnaNAbeVOjF6eLOPPO/rr7a1DmmQy+DYwYJqwIJKM3rCU6py+M9taI5xIto5eZFSdwvPMHjz/UNDLUp+dtBvFe/K6Id+I2IEJ8CuJyolxf/H5Rwn2/sG1aIKgn9ldHV9TNS6KdQbysmGtP8OpzKw=='
set pki certificate client4 private key 'MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDQ12mL/gSwszYp9JPTgvrN+WMMxvC9nz0nG4gsoCa4+OeqRxBJba7ztkdoAJVIN0TbeUXPGDnosiyFqfkobLAZz00tEVGQtQtChKBskyiPkBAkoX1pvlxt7aNC5lfQy8GOqLTu8wQwbKBhrVzgm4fmFIo3bvv3n57OHmhyv/o0nJ7nYFdBpHm3N20C+D3qegi08oXidHbDtJsKZdT8WCTL2MoNulrg/1iA6wqMI5vi017znvhZ5ZBD5AhrzyzyFO8QDzsvSfpMmeik+TAGIDuRwwKF+3hZfZJjDY8ZBlwbGA8ZnzcB3P3WelAlAJwFx/Pkp5Gj7zXmfFhiL+k52uhZAgMBAAECggEAE89DF0DeoAY3zo4BEbCcarpLr3QVdN8sdU+ywIzmb2hIzUmVXWm2jS6OompfvqxjbzAXM5g4Mf7oozsmw7Nflusnhm1cn83Uhhg/gV0KHWgMZ/UbiNLCQLkoYdmonckeEJKnKv1JOfCr2+gOZc3K+8OaAr0X0HrHHQUcYjocmS3QM5BvSVNQHei6hF5iWzwBUhiGvyt4Lu/2KuM6peEtAC9EVwffWcd0YyrM+BuNo5CSYvQbCsedNYOd5t/FLuY/7kjcsMv26HUXqza9vfu1Ee/qI0DLp1uxeM9sHUpacNBa6xsPj5zhClgJcPrxPYQFqyP0blna45DXoqRbw9JiwQKBgQDrTH+irTIKE8hCqNJUU7mHWmlDw0j3s5P/+qz1hllCkH1dKTaiilPI+c1BLCC5fPWhT+Dsz9AYOhHA29r5bUGmCaTXOIP5QVKG0wpbr0quoVEHxSRlxOmsStlzlFM2/mH1lP2fuAiMnxPfp6MP0/XvzKQ8LXQnEV8fdhd8FF6McQKBgQDjNweLgxCNR4Z0yET5WzCTjSdRACGed5aFvGr1HhUAsNWwn2eOrZHLlbpPF7ey5B4bt0hu3z06twjjfleRZ2eK+X5NaTVT5ySJu25uBDUGn1HgRGUMBrysusoXP1UJmLcERTv9wm4aEZ0YV3aeHCYEYBhFc5YVTRWtkTr7FscuaQKBgQDY9oriZ60yWZdYz+5RT3pNcnKJxzIrJO0dJfoB00XO+Qh/tJbqPX6QXLaEl7n9D1o2yj7uXZjWHgVsvc0mHTZhcZcL1NLsLO154HM2o2XLrHfZIFE1feKxubrUtjodBWcyWZWbhshrUeuzWRIkcB/gY+Q0kPz/YSdDDVMOWIHuIQKBgQCQZj6jSU5Rmy02NrivCGccvs5Hyh+TiEjfAVmwIcgTQk7sCsJTiLdpfOSEs3wJcrQ3xQmBfNp64CwD+B1KyT6iseC07bH4eqNb7QRHYuEYLlRohM77D6UE2Ujp8VPn32ggjKeNo+05IAyIlb1KynTWvwNt0AGH1A982Rl0zYsUUQKBgQCfYDXZYEy22a63Ryv6rbYEFh9MRoyLgOmkr5SSmJuGNmdqfGwaqg08142yZ0Np4SIcvFUtnHVmtEaBhyeGIXAFZUf2M9Sz6B3Pl4+MaxH4N7/HsxZ2bfrO8Cc6bElar9OWxSZScHvISYLJ4d4T8GqaUNy4GvYmA8noOTIieqjI7w=='
set pki certificate client5 certificate 'MIIDsTCCApmgAwIBAgIUDa4cCdYyrDgtP+yTIf0IDXGKmxcwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHdnlvcy5pbzAeFw0yNTAxMDMxNjU4MTNaFw0yNjAxMDMxNjU4MTNaMFcxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYDVQQHDAlTb21lLUNpdHkxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB2NsaWVudDUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyJS7gmNRDw0I9qaGc6cUpYSrMrF8rp1bevcbMe+D2NRfhi38M4epbSPIH7GZzWtZNeoo2//Z4IbiDWTj7gZLXjZ8Izh5sYPlPt2X7pBTx6ohkPI+x46RvkogUp2PKYmh20ZOIpLkee5rePTqVMer5Gknq0h6HIzeLgsw/xjm5rHAXUgrt0EIaJ0VFWpoaocpR2H0H/0ahr92KVJY8Xo26act/VKwjz0v91P18zN+2edqlYW2B38xHNCj+/tr9Ip5CRVdkFMjPps+o6XsJnlOgkcCLFJheOuyFwnU/aswPpxbEUL7Z2orqpWoxv8rxlMjgU8/6ETSiRWmCHrJ6O+lJAgMBAAGjdTBzMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQdzDTkPrBWx5UzXE4izgRJjPF7bTAfBgNVHSMEGDAWgBQ7J9gy4r2R4c/uPYl7ZJlCxTtvcTANBgkqhkiG9w0BAQsFAAOCAQEAe2ecwF5EvdoIIXbNQvLvwN7zNZOaXJ7z6hDGfwqrz5SbI+YogvFilbBKA+XdwXuQkDOe7mN4vU/gHVtBniAEA8b+dIGA77kCnOQB7AfUNXqejJD8GNzSEXaBz5LK61M767G2m6dBpZcU5Nue4qZTU4tgs0MmeDuUn4d9o8qcF3nHRyhyjVHpG6FzOTxcQ93YQJto3lMPVr95LljmWPp8kIa94YdaAJWpRDgK3Sepn8sqaVsaSIqwsZqGvtdPXZrbXhIHHDzG8CoGPt/l7m9d2BihDjXVdA1Qw+hODZucG6Js2FvnKJwynuOYJNV0bGI1u7ftyj9gNUbrH2NfAEguYQ=='
set pki certificate client5 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyJS7gmNRDw0I9qaGc6cUpYSrMrF8rp1bevcbMe+D2NRfhi38M4epbSPIH7GZzWtZNeoo2//Z4IbiDWTj7gZLXjZ8Izh5sYPlPt2X7pBTx6ohkPI+x46RvkogUp2PKYmh20ZOIpLkee5rePTqVMer5Gknq0h6HIzeLgsw/xjm5rHAXUgrt0EIaJ0VFWpoaocpR2H0H/0ahr92KVJY8Xo26act/VKwjz0v91P18zN+2edqlYW2B38xHNCj+/tr9Ip5CRVdkFMjPps+o6XsJnlOgkcCLFJheOuyFwnU/aswPpxbEUL7Z2orqpWoxv8rxlMjgU8/6ETSiRWmCHrJ6O+lJAgMBAAECggEAEcoHgjdUs/8Ut2xf5nfMH8+Tiux4FPeBA91i05LXwjJHVBceXOqW4N56B8tGKEUFAyfmUytwgOrKHniriWb1I0gBvmr5zAQLhVe4q/4ktssfK1ZGWaLULe2Nn/VesEwvJxVSxJmBYF9CtehamCEr2Av1X2jz0jYUsv5g18n7Q/R+7mSGC2tpJJGqIPTAI3WDnc3V66guqIwAls7aooqg38nXUqjZ/7H5LfaDF+ziTac2gFzhrU7WlR9YDY3JyKASFzVAQ08XCposKbkP2OMC32seD+SENaBXJNa7OmtoKZnMBnELr6Fh+xuvBWup7460kig3Fj6t5UKB5Pi6YH7soQKBgQDeK/KPYKu5sB6IpHegu/pwkKxBGktWJAg06QC3MrSnUeyC9RmmblUM7oSb3kWRbMlDktl7RL4XddKycMqHSE0tLH2loWuJrP9rNKsj3miYyri84qsVBGLREAYWj8xjs0/nXNOnHtTgfI7q3MrXTKj3Odq/OVt4VyP1d2rj4bjJ6QKBgQDNRSAGz+TIkVrU+/T/q1P0MqUafPoKWS5ok+SZQtBcXFM/R2LwwnX0A+ia6MyLc5vIh1h1+rWedrgHPt2TUd88tJ5D3zaBiOiZzMM9W6wb5gcxflQQGaK4hQph4MKDzSb+B096BC3XC0F8x763SXVy9joxqDd/Zkv2kXKjYHMoYQKBgHFFTLyG1+arAVY/K/KaBDxBtmDWzBQV+M0pAkFkq7Am14OI/NPaqqgWLyvcrfFP2mkGRLVRPe1uF8b8NHW2igp/BWxdmRsvRWXeC2cVLJTBvmAm3HyxqMPX/JKiK92k/RcDP7GTyYrOVnstqIkOP5MUPw+Bab44B1BN2wRl/7WJAoGBALsLUAGlEm4ItWH6LOeD8L5GH9ghJZ6kYPt+OAHHtiFTJ7Azll6Yc+7kWOI/W5N+xudVHTB0QWah+1Lu3+zL38VrOAPUs9AZNwpeYVHZ5NyPIOLioCsDkRjecfV6XwTGvc8gTjV69WJMqWHQiWJul40n/SMei2OVjYaiRnnE+2pBAoGBAME86d4GNCHKiSPj6chHeYGOxNCKcOQnXTODRyWxglVbhlkDNt38uHkan3xj+fuHTT+6cHnC9O/rrFn10FIGt7pGn/gOWmurlxtSS+eNQeP37bk2wZJ/+FLaCTrfXYicQNck7cj+uTlWfekCYvKa2LE4HfXuYNHTe5F5ciKLi9df'
set pki dh dh parameters 'MIIBCAKCAQEAtjav5jR9+sK5iZ79gpdjauHCAQgmuXVQ78RBQWklRZzY6qsG60J7yfVcLofJBxCLzzIzk2YENfXtsdRIS9gRec5FogfwgIEOoW1yZUPCdW0g5UAjLOgvpw/tuSly5YvM1r0GEkLI+gdCaFPscw76KurDw1a1R5W7KTz1k4pbqtNE0KRklMSaTuuZ7uOAxOOrr3Hk3nIsc3jUB+RYdiR5Thlxwrdbv8KKIK5fRwhojIySQv83Xb+ANKl1wP5HwJXS6+eOSiqBH4dLPKy080WgaS1fIYa6/UUJoO4IkYPGaK/PSE0aPFwSyOZe0Rev75zewPIzWmTy/YvHuDYrnjYZXwIBAg=='

checkt certs and revoke:

vyos@r14# run show openvpn server 

OpenVPN status on vtun10

Client CN    Remote Host            Tunnel IP    Local Host        TX bytes    RX bytes    Connected Since
-----------  ---------------------  -----------  ----------------  ----------  ----------  -------------------
client1      192.168.122.199:34613  10.10.0.4    203.0.113.1:1194  7.6 KB      23.4 KB     2025-01-03 15:19:45
client2      192.168.122.15:51105   10.10.0.2    203.0.113.1:1194  8.7 KB      8.8 KB      2025-01-03 15:18:02
client4      192.168.122.164:51882  10.10.0.3    203.0.113.1:1194  8.7 KB      8.8 KB      2025-01-03 15:18:06
client3      192.168.122.199:43065  10.10.0.5    203.0.113.1:1194  7.6 KB      8.2 KB      2025-01-03 15:19:47

[edit]
vyos@r14# 

vyos@r14# run show pki 
Certificate Authorities:
Name    Subject                                           Issuer CN    Issued               Expiry               Private Key    Parent
------  ------------------------------------------------  -----------  -------------------  -------------------  -------------  --------
ca      CN=vyos.io,O=VyOS,L=Some-City,ST=Some-State,C=US  CN=vyos.io   2025-01-03 10:19:59  2030-01-02 10:19:59  Yes            N/A

Certificates:
Name     Type    Subject CN    Issuer CN    Issued               Expiry               Revoked    Private Key    CA Present
-------  ------  ------------  -----------  -------------------  -------------------  ---------  -------------  ------------
cert     Server  CN=vyos.io    CN=vyos.io   2025-01-03 11:34:20  2026-01-03 11:34:20  No         Yes            Yes (ca)
client1  Client  CN=client1    CN=vyos.io   2025-01-03 11:29:34  2026-01-03 11:29:34  No         Yes            Yes (ca)
client2  Client  CN=client2    CN=vyos.io   2025-01-03 11:29:58  2026-01-03 11:29:58  No         Yes            Yes (ca)
client3  Client  CN=client3    CN=vyos.io   2025-01-03 11:30:24  2026-01-03 11:30:24  No         Yes            Yes (ca)
client4  Client  CN=client4    CN=vyos.io   2025-01-03 11:30:50  2026-01-03 11:30:50  No         Yes            Yes (ca)
client5  Client  CN=client5    CN=vyos.io   2025-01-03 13:17:38  2026-01-03 13:17:38  No         Yes            Yes (ca)

Certificate Revocation Lists:
CA Name    Updated    Revokes
---------  ---------  ---------
[edit]
vyos@r14# 

vyos@r14# set pki certificate client5 revoke
[edit]
vyos@r14# run generate pki crl ca install
1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
vyos@r14# 
[edit]
vyos@r14# commit
[edit]
vyos@r14#

Logs:

Jan 03 15:30:09 r14 openvpn-vtun10[15598]: 192.168.122.15:39097 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 03 15:30:09 r14 openvpn-vtun10[15598]: 192.168.122.15:39097 TLS Error: TLS handshake failed
Jan 03 15:30:09 r14 openvpn-vtun10[15598]: 192.168.122.15:39097 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:30:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=client2, serial=646728699577171290781953288943785706532970335838
Jan 03 15:30:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Jan 03 15:30:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 TLS_ERROR: BIO read tls_read_plaintext error
Jan 03 15:30:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 TLS Error: TLS object -> incoming plaintext read error
Jan 03 15:30:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 TLS Error: TLS handshake failed
Jan 03 15:30:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:30:39 r14 openvpn-vtun10[15598]: 192.168.122.199:34613 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 03 15:30:39 r14 openvpn-vtun10[15598]: 192.168.122.199:34613 TLS Error: TLS handshake failed
Jan 03 15:30:39 r14 openvpn-vtun10[15598]: 192.168.122.199:34613 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:30:40 r14 openvpn-vtun10[15598]: 192.168.122.164:56978 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 03 15:30:40 r14 openvpn-vtun10[15598]: 192.168.122.164:56978 TLS Error: TLS handshake failed
Jan 03 15:30:40 r14 openvpn-vtun10[15598]: 192.168.122.164:56978 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.164:50558 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=client4, serial=430206553405675565016098681603092126867364377834
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.164:50558 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.164:50558 TLS_ERROR: BIO read tls_read_plaintext error
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.164:50558 TLS Error: TLS object -> incoming plaintext read error
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.164:50558 TLS Error: TLS handshake failed
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.164:50558 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.199:43065 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.199:43065 TLS Error: TLS handshake failed
Jan 03 15:30:41 r14 openvpn-vtun10[15598]: 192.168.122.199:43065 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:31:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 03 15:31:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 TLS Error: TLS handshake failed
Jan 03 15:31:10 r14 openvpn-vtun10[15598]: 192.168.122.15:59135 SIGUSR1[soft,tls-error] received, client-instance restarting
Jan 03 15:31:11 r14 openvpn-vtun10[15598]: 192.168.122.15:48620 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=client2, serial=646728699577171290781953288943785706532970335838
Jan 03 15:31:11 r14 openvpn-vtun10[15598]: 192.168.122.15:48620 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Jan 03 15:31:11 r14 openvpn-vtun10[15598]: 192.168.122.15:48620 TLS_ERROR: BIO read tls_read_plaintext error
Jan 03 15:31:11 r14 openvpn-vtun10[15598]: 192.168.122.15:48620 TLS Error: TLS object -> incoming plaintext read error
Jan 03 15:31:11 r14 openvpn-vtun10[15598]: 192.168.122.15:48620 TLS Error: TLS handshake failed
Jan 03 15:31:11 r14 openvpn-vtun10[15598]: 192.168.122.15:48620 SIGUSR1[soft,tls-error] received, client-instance restarting

Jan 03 15:31:32 r14 openvpn-vtun10[15598]: 192.168.122.15:37132 VERIFY ERROR: depth=0, error=CRL is not yet valid: C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=client2, serial=646728699577171290781953288943785706532970335838
Jan 03 15:31:32 r14 openvpn-vtun10[15598]: 192.168.122.15:37132 OpenSSL: error:0A000086:SSL routines::certificate verify failed
Jan 03 15:31:32 r14 openvpn-vtun10[15598]: 192.168.122.15:37132 TLS_ERROR: BIO read tls_read_plaintext error
Jan 03 15:31:32 r14 openvpn-vtun10[15598]: 192.168.122.15:37132 TLS Error: TLS object -> incoming plaintext read error
Jan 03 15:31:32 r14 openvpn-vtun10[15598]: 192.168.122.15:37132 TLS Error: TLS handshake failed
Jan 03 15:31:32 r14 openvpn-vtun10[15598]: 192.168.122.15:37132 SIGUSR1[soft,tls-error] received, client-instance restarting
marvin subscribed.Jan 3 2025, 3:47 PM