OpenVPN revoke the same certificate name does not work
To reproduce on the OpenVPN server
- Add client1 certificate
run generate pki certificate sign ca install client1
- Reovoke this cer
set pki certificate client1 revoke run generate pki crl ca install commit
- Delete client certificate
del pki certificate client1
- Generate certificate client1 again
run generate pki certificate sign ca install client1
- Revoke the certificate client1
set pki certificate client1 revoke run generate pki crl ca install commit
After this client can connect to the server anyway:
The configuration:
set interfaces dummy dum0 address '203.0.113.1/32' set interfaces openvpn vtun10 encryption data-ciphers 'aes256' set interfaces openvpn vtun10 hash 'sha512' set interfaces openvpn vtun10 local-host '203.0.113.1' set interfaces openvpn vtun10 local-port '1194' set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 server client client1 ip '10.10.0.10' set interfaces openvpn vtun10 server client client2 ip '10.10.0.11' set interfaces openvpn vtun10 server domain-name 'vyos.net' set interfaces openvpn vtun10 server max-connections '250' set interfaces openvpn vtun10 server name-server '203.0.113.1' set interfaces openvpn vtun10 server subnet '10.10.0.0/24' set interfaces openvpn vtun10 server topology 'subnet' set interfaces openvpn vtun10 tls ca-certificate 'ca' set interfaces openvpn vtun10 tls certificate 'cert' set interfaces openvpn vtun10 tls dh-params 'dh' set interfaces openvpn vtun10 tls tls-version-min '1.0' set pki ca ca certificate 'MIIDoTCCAomgAwIBAgIUDB7GMbRHC3/Xuwz/ogjz7fZOm8gwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTAzN1oXDTI5MTIwMjA5NTAzN1owWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqACEiyk5ZwBB2zH7pKQU7GVr/0OBlaQ7mRPFMdt7YNaCb6Ww7mWBwdrww1Z9JZaZ2Sn7O5/tXln3E0EE7QJtGf/4JkV4F8le6dUXsjP2Bz/H5Fy30B/19Yw9k1no3q4yuce1ALEEZfbOpB+Q6caadVG/QD2pE/SPegWKNXC5RRs0PwqP+0po107Rn7Gt70BOgKTWkK4Wk9tpmUPZDbH/oaHGlsQgZ6Er1Z3k70BOryDF+/UbT7LKgBPJrXLzVMNpipdXs2W1Ty67iUuW7+ouVrDFv4hwNtfmYRXeSWh9Sg0zLdMg3c9QGv8FRhRfkjO+iA7cHr2+hOTpizzwxvqdOwIDAQABo2EwXzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQBfckfDuCSYPZwGnNqo148Pj5I+hHEij9xRiUFV2RFr/z5jFSEqzI7jCUAyTX0m0ODU2yNl6STCVqiZIChMzSMMLNOEeq90xJZMr/DWK87xXNY9tqmF3Kg0pZ/xWajfBL2S1LCNv6tGFC81MpA0RL/RiUnuhq/zDNyWro/Y1DivzqO1jDYbHewUOogwj5Ou6ynnzRdlIZY+6C+juE7DWZbw0b0Hzm9EBplfs3PKYjX8fn+BuCrPSs45cl/8tUXDPwN+XdDSWfPEOHBImenXusP0Sv1VPoRXl3mjIgAs/nFa5T6qyXCteaEFn/zuj99N1USXJBm3QBV8U3eMGyQmLiSD' set pki ca ca crl 'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zLUFuZ2VsZXMxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8XDTI0MTIwMzEwMzgzOFoXDTI0MTIwNDEwMzgzOFowJzAlAhRXx5eb+YbDSeH98JkQ4wQ0vwz3PRcNMjQxMjAzMTAzODM4WjANBgkqhkiG9w0BAQsFAAOCAQEAJUpv+ZdWVC1906ajDRGsjgqZXmWOYeOYQAbw5zhiNXdyZdjEuDJWiTiIaFWSpbaFK6btf4yk0Vg9p6BmGTTYg1uQMApf+VZqlLdg7jhMYi7Y/AEf60L60XX1fbP7myB+KU7OYTYDdp2nI37mgHYeGe1/TZX7uF3TdevmN7117/LssjIgSBZi6jjdX6El/KOPeSzUHsOB16S2V6qVrl/9hJf5Ypkb/yXcTPgaO0zqG3bxJW4RRNoBOYTzR8qci5S2g1DKggdnYn7gy4geAy51FyxCq64+DOpYiUnaztYNY9gXnGJXf0iAhg1yAR3yicnfrt/lMy6Kte8Fbx0Gnx51iQ==' set pki ca ca crl 'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zLUFuZ2VsZXMxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8XDTI0MTIwMzEzMDg0MVoXDTI0MTIwNDEzMDg0MVowJzAlAhRbsJDfz62m5C5/sw6MvP4l8xLfVxcNMjQxMjAzMTMwODQxWjANBgkqhkiG9w0BAQsFAAOCAQEAiXJzwXea7m4IQCAf899tny6lcXTvfMYERdSS1wg01fqJHTqmTNCJ9XovSi2y0HwsBxINy4ekQKRyQxqizdquO5OM8hBPGlpPKSM6nnXYzPPPbGP1hlhAHyL6c/agdP64PXmgpyJvhO51vr+W6LS8fv+/nKzjPZ9wRQFKop090Zdq51UWMQbmZSMqEVwreI3Ofoy2xPePGsEJYWP7Yw/mnoYm0qCPg8L5aQsXKAaa8xzVvlUOUXaY7FXzTppEe+z/YtcSvsKzWts9zRuj6idBHF9MdZXBk3ycHlNzn0nVUvpOHHzhM03sSfhylBM5XPD22TyMSvH/fpsoAefCXMUirg==' set pki ca ca crl 'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zLUFuZ2VsZXMxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8XDTI0MTIwMzEzNDcwOVoXDTI0MTIwNDEzNDcwOVowJzAlAhRbsJDfz62m5C5/sw6MvP4l8xLfVxcNMjQxMjAzMTM0NzA5WjANBgkqhkiG9w0BAQsFAAOCAQEAkDmumJ2bnSXUI0h04ybswGeOPvo13S9ZoONe+39ssEofe2BJy2NaTk3I9LFj3GYWzo/wPJ8prVPiNMdK84phxQ70ImGtBOEtsp7TEp+4dNUOcx2yS9hGLq3y1220bzi337GJlAACDx8grSp0FNyR/UIa5SPlLxabGeWQsoJst9oqSu94dtbGv/ERYwTjw2axVMnlmRScgQ5mNa35hfa4PM1f4X4SVAMtMYD/BIe4jA8nVwlNMo7cH1L1jJZarX3NT7/lbA/TmxYUHbLF+xC33oYRcbmk1xxCPjyn4xXbJR4BW9cIsFDDxU3G1RgqNjZC+Fv82gU+KvtCAhzakQMvJA==' set pki ca ca crl 'MIIByzCBtAIBATANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zLUFuZ2VsZXMxDTALBgNVBAoMBFZ5T1MxEDAOBgNVBAMMB3Z5b3MuaW8XDTI0MTIwMzEzNTMxMloXDTI0MTIwNDEzNTMxMlowJzAlAhRbsJDfz62m5C5/sw6MvP4l8xLfVxcNMjQxMjAzMTM1MzEyWjANBgkqhkiG9w0BAQsFAAOCAQEAEdWtsg+J4bml9LHNFTgOq0iFpL5gnpPBh1WIEJzahw6B7JCeGvvr5ki2enzkPwFKV8UMYzVAuwSs3GA8+i73WfTuFcPtAT08DAhUObsfWx+3MYItivF7tqAdlDVS34ZNyx8nGnmF+SaihJAf5RbOQMc88hZeO6hq3cIVanpy/fVmAOU/qeoQzKvaDRkbSkRZ5WaRR1tlZexup/kE1Oz79pCRlXIu4DF3Qg5b2aVXC0S7gqvkyt5urAMssbYfJ4JJg8K7wUbE+ggtEq/oY5sWSV7JjervyUpa5vpT3cCE6/H8xfRhkp/45Gyce4uiCSe2IlwuH5NyxM0iSUBsBJIYZw==' set pki ca ca private key 'MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCoAISLKTlnAEHbMfukpBTsZWv/Q4GVpDuZE8Ux23tg1oJvpbDuZYHB2vDDVn0llpnZKfs7n+1eWfcTQQTtAm0Z//gmRXgXyV7p1ReyM/YHP8fkXLfQH/X1jD2TWejerjK5x7UAsQRl9s6kH5Dpxpp1Ub9APakT9I96BYo1cLlFGzQ/Co/7SmjXTtGfsa3vQE6ApNaQrhaT22mZQ9kNsf+hocaWxCBnoSvVneTvQE6vIMX79RtPssqAE8mtcvNUw2mKl1ezZbVPLruJS5bv6i5WsMW/iHA21+ZhFd5JaH1KDTMt0yDdz1Aa/wVGFF+SM76IDtwevb6E5OmLPPDG+p07AgMBAAECggEAT6szL6UEfiZelJpO2cQf0fzEqp/yJyrjQlPgSyTojMMcxuI9lcfYMTxouVFd9oHFAnlIlP1hvMEQDHbkZZqlb1N183w1F56cXmn5mz3N2aEy40Xeuxk089Ul7CcSaesUzgn4+VN4oPvaAXWgrGPMon76IXY8JGTw1y4iXPZQPYcDvZiUgvd7vRnTcoI7ZY06jWBB3qC2YNSacP7OFUuEdwWqj7yF1YnAggmZy85udXdQGd/u6IEFq11RH7UsIsC793JvrtJ7HjAW4oMLqSzz04kdosTkU9yHgzMD4qpf3CPe0mw0wS83usSKdZ4FniirdYc1In/10gjmfBmkH6rx1QKBgQDmzLNa2boA226LU/k+IeQO4CDMxZzvPNwNybU0It8nuVe22WPvLNzmpnPLsWlFEXxPaM/StrjkYKLf+PuhgsigNqiRQ17j6RKLAnacfWlTdLsbOqvGw5N1ffBnNDCW7MXxM08eRznlmRyatPKFqg/QPxNGRmITsq8YFhwtUh3sJwKBgQC6WICEKJHjHwYRBeRmQ+nN120y1gexdPK4dCz8xClU9+sXBbGQHheeN8JS0xNghOdj0jz86ReAg4G6sN48jnbmEv/nQbHzVbMsPhTeZ/AtPQOhgA0btehTSPZMWMYOrmaMDJq13AtLl98WKcBXYfZO3Vy+9qygzPUKZ8uG9K6uzQKBgQDROrlNnxv0Mvkf7dyB6w9oPN7/RBZk+3MyPK28ufA7ftZ5uNHTvYP0xOksu4SHTLa49neQun0a7FA7YugbHwjp1SMzrTOUwXJB+tW0QCz/r07//ExFQH+pf6Y0qSdzaup3IuCSvldKQWehCHDjo6v6SXQbvSqkWNRKraCVpV/i+QKBgFODNF2GPRN3pOVeKaU3TIImyNaemyYJjnnh/wNs+kUNMrvHnnNDOTx8KseptyZribPv1ctWv2SmCy7a805aXqjv3OYMSC8QulLao8mk9Tug+46Wb8l6ddtVeKRwqJqNyIF9aJyWOC2xq5YoMf43dgaUKGug627JTAxUxh7+a4cFAoGAXjzlCBzXZKDirXMMSwjUfch9UbPbDDd6rKeRWYfeE97bQMYvknayycy6HBScbxZPvm4PThNLeyxLMmCwjRxtgmRlmBtusqmo/siSgdHRSqji2GeT1hqW+leYrffXA9gYcRdr5WAvJmRm7R1KXrXFr3dmOfyLYTw6ADRwOks+QKg=' set pki certificate cert certificate 'MIIDtTCCAp2gAwIBAgIUQqv1khJjjUfMST0S7a+o4Ogye+MwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzA5NTQ0OVoXDTM0MTIwMTA5NTQ0OVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3wxOwPH99GFgR8UUTwtS0peRVMp3JMBPedhUtCEfkpzL0fMsQOcVODoHjZ00DBa0RYEppeVrzbYpEbBUhergiqqZfYk/2oJqD232fw3wcxaHPRd6rjVSFvbahvQL3ubSxUWCGk53jyhSbwkk+/B/TgH0NWDaKSS01f5ynUfqYiElssPZ+ozGfacM5cEvHBHxsBu3PxhqkOZ3sBnj0tZ9MF9Xmtd9ZwhEk31rNEhKVblFAKx2LQBBbr17foV3j60xgwcBPiI6N5G9Ec8Jaf99IjP4x0WSKJ+ZreUhxx3FHFeKOTREOUksAR9iN4QF2BgQ6fbGHkSQUh2ZmUIhrDVprwIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUVrWI4aY4VveAw5PHOKBd2XnVNjAwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAEa5jQZNXzILsomBvpCO3Mu93zluS37KysJA/mk3a1uhTs5OVDbAVe/POT87bRL4W0VPDJHpb/nfh10lSCyykNV4SqPwDn3LIfBoLZeFmT9tHeyGfLQDs6ybdhEluSI8yDApi/tUIaDe+eObiO1v/zhZbsOmmZSzmNf4yVRP5PPgStfG1tymXZjW8UNjvxo71+1L2+mSNFmhXA8u0XA/xF4nFfYaBCCXyZJbgnZIiBXWTU9H1IMMZi5N8RS26Weg47ZYspndy1+Mnbuh3d8mScqi9NDR1wwuenVqE57mE+kerJ/cLKVBz0siCz2YPSOSjzl+vA2CzVAFtrw8dtndOX8=' set pki certificate cert private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfDE7A8f30YWBHxRRPC1LSl5FUynckwE952FS0IR+SnMvR8yxA5xU4OgeNnTQMFrRFgSml5WvNtikRsFSF6uCKqpl9iT/agmoPbfZ/DfBzFoc9F3quNVIW9tqG9Ave5tLFRYIaTnePKFJvCST78H9OAfQ1YNopJLTV/nKdR+piISWyw9n6jMZ9pwzlwS8cEfGwG7c/GGqQ5newGePS1n0wX1ea131nCESTfWs0SEpVuUUArHYtAEFuvXt+hXePrTGDBwE+Ijo3kb0Rzwlp/30iM/jHRZIon5mt5SHHHcUcV4o5NEQ5SSwBH2I3hAXYGBDp9sYeRJBSHZmZQiGsNWmvAgMBAAECggEAQwCoe692ET5bNNQQCLqnE5nyT11OsxyOA1UoBMBagqlVVOlOpuSD7FMKR9EsfGEpoCNvxmUHoFETPzwP9/aZoy4iU6KyKsq4X5Ax1vLyAzCGSaTO9pwP39Qhyx5unnQKZrY9ofdmVPvQ34gIsyIIq/9MQ+inQGrFY+8+sN6Umws4WRdqpDSDkIR3YI2lSGvzWcB4nPp1EgnZajnwSm1H4cmVtDQjJv1fRcSiXqjJp+uH8w20ootLfn55QCglawu3jX9DA14mLxoAqtsEx3tdBPIM78byucozpUDIWtQF4jFOmUPFngieluiHqjCR3i5YLLRYsW6LmO0ZpGK8KHnmEQKBgQD58I6s172fdLowvqU+5CiRng0vP++22vnjx7nVLzjLYGVPTgEe2hguvR7DhxCFHk9Vsz3DQ7dKn0b2ga2An2FXiD2mayDoeeab2fV1GP7Hu1Rj3JTdesdYLNCRurebyHgvqgwJh+t+ws3WOCoKhkafceT3FDaSUFOusb+A0oEuKQKBgQDkdNOxSFKA/iHFyVcvODHVcayBjdvJHvetRs1U+GeH7V8dgvkY2aAs5Ami4zTT1hEwA2hva3od6ijaVaBaqPhmdCaR/WukTACeKF3oY/xshrR9V/kkSqRXGN1a2y0HHNN/TLeo0nGaXlTk8fEbklARFh7R8SMIEMkkm4n0icikFwKBgQDnfiLne7qpodeBplIu+euJU7YqeTFxT0f77NT12xLja5jp5vmqtZ2ITKndt49ZfEVGvwkJfgKaHwP+9QTaCMSD6jAPn1GPgLhSyYFKv6fbHmp/Q6KtsDZKONfE4geFRhvrKbiUa0t20L8NFl/593wZ2ceUASi6Q6P+Pat9iXsUYQKBgQCZX41XcbRiATrvLBKqEtHx+BTWDUTGq1GgNO5Y40OuT8ARcgKFmmUcfiOyBVNL/GUhlMgiNUeQmcm/esji1JmfPs8+J6KCdLvdckBJagbnXTADDnKm2K2oA3toKcj7A3FB/2E1p8K43iekZIF3/yxdrDoYvAjGu24uc3WUhIP9FQKBgCRBSpD+RvVq8l3PhVn5zxrLUfq/uedTtrqvdmsoLdteLXp4+D9CN6XlvHLwHpkKuWn4bq047ukKQ/xMyNWPWeYb/9UDWpaTU//DYSTOeaOtwX/goswIEUh3ciNvpc/ycaH6W3kl4dRMCcYtJEUmHS1qgsKaafKJ8+5IdCUkGzWW' set pki certificate client1 certificate 'MIIDsDCCApigAwIBAgIUW7CQ38+tpuQuf7MOjLz+JfMS31cwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzEwNDcyN1oXDTM0MTIwMTEwNDcyN1owVDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDzANBgNVBAcMBkRuaXBybzENMAsGA1UECgwEVnlPUzEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMM+I+gkuWqai3Y6lvbr8Ur4AHr3YpVAAEoDwTcHpoGndIsAeYzKN97ZxPi0sZfsa0GWsne37oyk3I6Fg5PZ2YiYjf/3HXH1u/MSlOFh7eiefE38w07VWFIJfBE7PoQA7xGupN5dOCw4Lcrx4ikw7E6nokpm8X+KcIMKb6yLzGtfEvUoTRrr61mUpglUpn5cK8juQob3t4NJ4UBm+kXcpGth5DB5VtRIEp9NPHgtUm0G1TFKsGFGChb9Dw02cfhLe9aJDpUHFPtLo9dZOI5IZXTcGj+ZEFHT8L0vCOQvIAlHNgWit4NmT+3NjD/R5AeiIxPK34Hc3WHnrZ0b5ign1sCAwEAAaN1MHMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwHQYDVR0OBBYEFBR5H5EQAoc015uVNxw9S+MjwlAAMB8GA1UdIwQYMBaAFPhEfpn+1viLr+Nc+GZ3DyINXslpMA0GCSqGSIb3DQEBCwUAA4IBAQCVBAggYFrEcoH04shxAh8j1dfi35K/Tl9wZ1i/NxLG8kG9vpUeoBAYV+lkyBsR7hM6y+MO1gT7VPrgtE+Q/UMaWdYvzBuqbdSapoGeZp0ijP5tyJQEre7J3mne7YRExgv3Q38EvCeuLeMc8DVcH0jN5GQEXG79nx1y1uumlWNTjpiXxIlsAcGEwxMBNpWmKnTcMtSVrrbHaRgecfBLu3huuJsRrCQ9BWyDZQfPSf2Oo8T8THaN2l1JITK56UmGWdDL+V8LXT1uSHRZsATpeCGCSaJQdaa6107HlstqEN42n1g1tOMBrc8eXN9YE7Jzm8xbNJPBRg9V+Zd93XyhV8bF' set pki certificate client1 private key 'MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCjDPiPoJLlqmot2Opb26/FK+AB692KVQABKA8E3B6aBp3SLAHmMyjfe2cT4tLGX7GtBlrJ3t+6MpNyOhYOT2dmImI3/9x1x9bvzEpThYe3onnxN/MNO1VhSCXwROz6EAO8RrqTeXTgsOC3K8eIpMOxOp6JKZvF/inCDCm+si8xrXxL1KE0a6+tZlKYJVKZ+XCvI7kKG97eDSeFAZvpF3KRrYeQweVbUSBKfTTx4LVJtBtUxSrBhRgoW/Q8NNnH4S3vWiQ6VBxT7S6PXWTiOSGV03Bo/mRBR0/C9LwjkLyAJRzYForeDZk/tzYw/0eQHoiMTyt+B3N1h562dG+YoJ9bAgMBAAECggEABENXDl5K6PFTNF6rBfrQ9i1G/pXdpXvCc8VJ2z0sGafZoYCgDhZBV9KAp+7yxtgCq7zyS7vlipc+7qohIH+n+u4kNkWczIGMl5l2SgfAPCdl2840LyDhgxkhUM5kicc4achJoYh361YEkhV1cpeoPC6FrZ1mYr9Z9SZfQwqinEBbsOOej520epa45WVEXNFZztGGV57Zb7565z3Ajdgx06ZT6Z7eccgfvbKbrGUlsXAXAz4yfW4kAqK0AwQcs/PKJ1f3RCEqqYS74s24lhBzGoAr8V4OD2IW9e+f996jxdRrswBO/WSxAMfkiYx9aFfWyxIBVlmDZfI7ALyhdY2dMQKBgQDmAiMH4+dcsvB2VKNzzBXzyPgICw0tQI/zpJFTadOl+WYomlKWoFkumRLyq2C26f1USvND98uYnQUjNFN4DHuNYLxYT58p1UzHMedm3kq0BGp4j3Ba861dCLOemUMlE0gyU51z2rxyQ+BpU8s00dWgaWOrMOTIC25FR4T0xmx6awKBgQC1edRXngRFyYBSH8ahnI3co++bnDMQi8wjtVAeIJTmF1Jq2QkIQ89z7GBq6YYuPpRF58y2XN2pj0QxqTdBTV0YbqBlChdcBPROoit1C8UExSL7WtzILFZK3utyoBmA8eBZFiN751oOoqloxgrFJ21ECDUFSmTRSzpzD4W/qvmK0QKBgAWa1bmyfwfOQHfRti3zMjG/mvOvOUH6Ccf5IaVztbmcqzWgFRUgkSvGhSSusmuipg6wyN7GIgr1AJQMCWCqhTQ7wDsyrYE6dmWAPNBP6Ggcl2+apzVALOBQfvgFahJ0NtUrHnIdSWxLZSOL7C68UkVXbBtW1KxfQu+jP4UrdKdDAoGALxlUa/z93OLkI+xNUApiox4FBNzwP94YeDgJeBg6rNDmugZkGroGsG5rw7Oh+ISTVOVJMxc9DFG7gCwLxC4A+GNVy4Nn9qDuiy35m2IXmxpS7utxG56uMrZSYyh8FgQwls5xHSo5LE05LJEhoHOQHzUGFb5uFgexPsWLj+ge5dECgYAWoi5vKCJWm4/t6A0W8HCEPCBXO7/MIeA2HrZ7ofrL6Bp/fDJSWqs10ZCcPVoy9sdIgAI1blHGWosLE9bRfx2DKn44igdCuSho/xJXhsjyJTpArD91UD7gdeRkZ2GqYJi9vdI+TBI3PsvWQ8F+jlShSD1EGmPvqF8twBaB71PMdw==' set pki certificate client1 revoke set pki certificate client2 certificate 'MIIDrDCCApSgAwIBAgIUXHMRePv7otpZJNn8BFu3nozF2kIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcy1BbmdlbGVzMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAd2eW9zLmlvMB4XDTI0MTIwMzExMTA0M1oXDTM0MTIwMTExMTA0M1owUDELMAkGA1UEBhMCVVMxDzANBgNVBAgMBkRuaXBybzEPMA0GA1UEBwwGRG5pcHJvMQ0wCwYDVQQKDARWeU9TMRAwDgYDVQQDDAdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7VXZpMkr/Rnd+q0opUR4XNdHaaa2tH+ZVqt97gCIowjAYXJWY9RoPkmpl3DageLED7Rsk94oXjgXFkM05sUjfNytsD12Om1JpyKVD8FFtCOvB790SV4L6KWwSLMfUlzlqCeHnUzrySjLL60MQSBpzGl5o954l51wG23tkWm+QAk73K+gSkRDy/EpalUupqbikEdZRCZH+2ueqAKiBm56lr90f5pzJ3r9hU7+7W+ZYxPgtwL4mZbL/U9vNDGA2CXy+94Tibo46gNQam+UvTfD2vIocaMOVPCK2ifN2gTyCLxzSfeN8zMnQTixvYKjlNm2OZmXy+/U8FsLEA7S76jG6QIDAQABo3UwczAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQURMwJZKBFhwtK5wWUwKbtIaFsD3gwHwYDVR0jBBgwFoAU+ER+mf7W+Iuv41z4ZncPIg1eyWkwDQYJKoZIhvcNAQELBQADggEBAGzOEpY/Z33V3lbN9/9MxuO7ktQuKnr0h+DHLzjjisCYzVNrP4s8bMdQFk19Xu+OMef0uMaMwRZ/hMoPTmEaLXDTyENTflWWZn5K79jSsqVPt0HMThuoZAX9PFc3LzRFDv5zCII62kiBUMiPZH+J+fKMCKd+ObiYoLJvDUaJzrO4Nk/vSHWkEE3JVeqRyWt6oaNtCkvWw+HQZ9Qc8nSO+tTvt6daftHqKCE3ORl3V1ypXHjD0iKv1lUafdzwLwKdxZNXYv6gfPwwzAthBslT5u8ckFfWKLsqkEeQKNusiqjXieMvoJfoCD7EFY3WPqmk4DXSHUOpvglt5Xckux2wuTQ=' set pki certificate client2 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtVdmkySv9Gd36rSilRHhc10dppra0f5lWq33uAIijCMBhclZj1Gg+SamXcNqB4sQPtGyT3iheOBcWQzTmxSN83K2wPXY6bUmnIpUPwUW0I68Hv3RJXgvopbBIsx9SXOWoJ4edTOvJKMsvrQxBIGnMaXmj3niXnXAbbe2Rab5ACTvcr6BKREPL8SlqVS6mpuKQR1lEJkf7a56oAqIGbnqWv3R/mnMnev2FTv7tb5ljE+C3AviZlsv9T280MYDYJfL73hOJujjqA1Bqb5S9N8Pa8ihxow5U8IraJ83aBPIIvHNJ943zMydBOLG9gqOU2bY5mZfL79TwWwsQDtLvqMbpAgMBAAECggEAY+1NHWIsWL0u5tBIeEk7ak+j/Dpa2+WLoN/EvlRQM2DIa18SO6cfmvY15xL3lU9uoHQlcR7NHVp9cfyrBe0EE5rwsG84W8JPDAV2AHOuTvnlRJxaMFfeKL62We29JtcBRQsbwOG1tvUrk6/HJJaqpQvV0OanHKMHpCzlJWAB4ACTtGJ2GgwcMnzJ3mKjBZOH/k3HzK7AnUeEmJq/pTp1n6kXwD7p2+GzwZkTzSi70r7LDWOR+i9R0ly6rkqTUoyWZCxTptVy47bCpdQv9pyCA2sPPUVGlXxM+WxaF5kvgbTKqesvDOqFdubC43VQcKdwXL/WiVp4OsrGfFlO9/8GZwKBgQD5cmkYxylCk4LeCwtNJzfwFjVQYS+vWjRwnbi4clhhnMBJLe4cGloybPvejnGxWDGE3v9dmeZoFBh1nkILathoZhclgeh9d1GkgioDxnrjbdz7G6UGBtLX6esPra8vZn41Jq4NgvXCGmCZr1QIlGfPZpPpsKm6MlqpbdHpGhsauwKBgQDzkfyLsQvCbdiwz7H/vZjbm/VzGwW5omNPRW89AcwG6Xw/+0w2408Z1w3XuJWzf9OdLeLL8durg29YTMsgc+ea12/X1SA1e74tzloP8o3L7ZSpvXgj5haDjlB7D1OADyBVR1rg+/tyYKoR68BOP7bbXDK5fjIVLrlAoxH4JrkEqwKBgCeYjKw9OQRza+uZLzMRDaUTsWTP+ITKOdbCgobsx7C+9BrpqolVeYnVmOmMDOoMyNeBmmGeQ1+0COnqtCshy7ZOtk/i3ifEX/ZQHyE4SVt+nfxSOBDL1n4liIWVmWBZ0aDYQfqtFhu4mirrFNjDzfKzIrmOrHJ8+b05TH/HABRvAoGBANmbSKyo3V+0cc7tkBJymjlBqdVPhBroOJ9e4lX34Acg3G/xHJNBG69zUZuz/pLilfWsRB5/Ewm1oGmcGjIBOx88cGC8uUzvI+aaoB31Tretp47KhqZT7zNTlxWKiMg1O2bVHB07Itd6AxeFr0Z5Z+2s/mh4lVgVaU6VIf244r2HAoGBAJNwTg2srlQlBr0LiUy0ij8SsdbGSsIwVymMuuFUFt7Z2PE6e6AGG4jOBFJzW6iSbkG2+8GXRrBNMX69nrYfrYNMIjO1P9PGRfgbM8nHUnPW3PlB4KYEzxChkUYu5kbVm3EzBjlM66fNrFP86SzExLj5Pqp2CrfXF2nnAC1KPffV' set pki dh dh parameters 'MIIBCAKCAQEA+1eL8L4DAmniAvmBG1AAgHqCzYjF7zt+ES+L2reSo4RFRcqvZ1zWpHB6wmB5KFZ6na4qhyHbqfNckK2PQnqI4fSvahSzsxY9PaknzPiXM+Oyc8Kqw7VSa6ywraTDOwNMfoF1UxsT8ISo5mmeSmzGXtxHwjlkBOhJU7sdjImbiMJ6nhxTx1+GoAU3V9LxgwFLeEZNRZRfflJU6SWmLSMf6mDaTYVPym5DaMoam+/cGVLquEnXFroc7CeSJQ8QLGcKSUTiw1j7QRFg5a47wVYH43+8uKHHIlWmGfmY76Kj+DYiO3LE52wOeeiWafWRPR5PtqbgBEJIiBmTgfOEAyPIFwIBAg=='
Check certificates, expected client1 is revoked
vyos@r14# run show pki Certificate Authorities: Name Subject Issuer CN Issued Expiry Private Key Parent ------ -------------------------------------------------- ----------- ------------------- ------------------- ------------- -------- ca CN=vyos.io,O=VyOS,L=Los-Angeles,ST=California,C=US CN=vyos.io 2024-12-03 09:50:37 2029-12-02 09:50:37 Yes N/A Certificates: Name Type Subject CN Issuer CN Issued Expiry Revoked Private Key CA Present ------- ------ ------------ ----------- ------------------- ------------------- --------- ------------- ------------ cert Server CN=vyos.io CN=vyos.io 2024-12-03 09:54:49 2034-12-01 09:54:49 No Yes Yes (ca) client1 Client CN=client1 CN=vyos.io 2024-12-03 10:47:27 2034-12-01 10:47:27 Yes Yes Yes (ca) client2 Client CN=client2 CN=vyos.io 2024-12-03 11:10:43 2034-12-01 11:10:43 No Yes Yes (ca) Certificate Revocation Lists: CA Name Updated Revokes --------- ------------------- --------- ca 2024-12-03 10:38:38 ca 2024-12-03 13:08:41 client1 ca 2024-12-03 13:47:09 client1 ca 2024-12-03 13:53:12 client1 [edit] vyos@r14#
Revoke again:
vyos@r14# set pki certificate client1 revoke Configuration path: [pki certificate client1 revoke] already exists [edit] vyos@r14# vyos@r14# run generate pki crl ca install 1 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply. [edit] vyos@r14# commit [ pki ] [edit] vyos@r14#
Try to connect from the client1 (revoked certificate), and debug from the server site (unexpected successful connection):
Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 VERIFY OK: depth=1, C=US, ST=California, L=Los-Angeles, O=VyOS, CN=vyos.io Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 VERIFY OK: depth=0, C=US, ST=California, L=Dnipro, O=VyOS, CN=client1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_VER=2.6.12 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_PLAT=linux Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_TCPNL=1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_MTU=1600 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_CIPHERS=AES-256-CBC Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_PROTO=990 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_LZO_STUB=1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_COMP_STUB=1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 peer info: IV_COMP_STUBv2=1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 TLS: tls_multi_process: initial untrusted session promoted to trusted Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: 192.168.122.199:44916 [client1] Peer Connection Initiated with [AF_INET]192.168.122.199:44916 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 MULTI_sva: pool returned IPv4=10.10.0.2, IPv6=(Not enabled) Dec 03 14:24:46 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 OPTIONS IMPORT: reading client specific options from: /run/openvpn/ccd/vtun10/client1 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 MULTI: Learn: 10.10.0.10 -> client1/192.168.122.199:44916 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 MULTI: primary virtual IP for client1/192.168.122.199:44916: 10.10.0.10 Dec 03 14:24:46 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 203.0.113.1,dhcp-option DOMAIN vyos.net,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 600,ifconfig 10.10.0.10 255.255.255.0,peer-id 1,cipher AES-256-CBC,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500' (status=1) Dec 03 14:24:47 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 Data Channel: cipher 'AES-256-CBC', auth 'SHA512', peer-id: 0 Dec 03 14:24:47 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 Timers: ping 10, ping-restart 1200 Dec 03 14:24:47 r14 openvpn-vtun10[10130]: client1/192.168.122.199:44916 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
The client it alive and we can ping him:
vyos@r14# run show openvpn server OpenVPN status on vtun10 Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since ----------- --------------------- ----------- ---------------- ---------- ---------- ------------------- client1 192.168.122.199:44916 10.10.0.10 203.0.113.1:1194 3.8 KB 4.0 KB 2024-12-03 14:24:46 [edit] vyos@r14# [edit] vyos@r14# run ping 10.10.0.10 PING 10.10.0.10 (10.10.0.10) 56(84) bytes of data. 64 bytes from 10.10.0.10: icmp_seq=1 ttl=64 time=0.463 ms 64 bytes from 10.10.0.10: icmp_seq=2 ttl=64 time=0.484 ms ^C --- 10.10.0.10 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1037ms rtt min/avg/max/mdev = 0.463/0.473/0.484/0.010 ms [edit] vyos@r14#