How to delete (revoked) OVPN configuration files?

How can I delete revoked OVPN configuration files?

After some application tests I’m stuck with a ton of revoked configuration files in Foris, obfuscating the active ones.

I found some index-files and corresponding .crt .csr .key .pem files in: /etc/ssl/ca/openvpn but I am not sure whether manually deleting stuff from there would break ovpn functionally in some way.

Could anyone please advice me on this one (or help me investigate)?

If this is best done from CLI than that’s no problem (if anything then preferred)!

Any insights are welcome!

At first you can try to just move the files to a different location and see if it results in any problems with OVPN and/or removes the entries from Foris.
If you encouter problems you should be able to just move it back to previous locations.

Or you can create a snapshot with schnapps remove the files, test and on error do a restore with schnapps

Thanks for your reply (appreciated)!

And yes; I figured as much. If I will try something I’ll make sure to have backups available.

But rather as a fall-back, not part of the methodology. I.e. I was hoping to prevent an experimental ‘trial and error’ methodology though and start with a more informed instruction about which files to edit / delete. Say at least start-out with a plan that in theory should work.

Am I the only one that has its VPN config list growing / wondering how to groom the list to keep it manageable?

From what I can tell, you’re able to remove certificates from Foris by doing the following:

  • Browse to /etc/ssl/ca/openvpn/
  • Open index.txt and get the associated number (e.g: 02) for the common name you’d like to delete
  • Delete XX.crt/csr/key/pem
  • Remove the associated entry from index.txt and notes.txt
  • De-increment the value in serial by 1

I haven’t done extensive testing, but it seems to do the trick. Make a backup of the folder first in case you I’ve made a mistake :slight_smile:

2 Likes

Thanks! That seems more elaborate indeed! I’ll try your methof once deleting the revoked keys becomes imperative (i.e. the list gets in my face too much).

Hopefully cz.nic introduces a more official, or even forris/GUI, method before that in the mean time (less risky).

I wonder how others deal with this, or am I the only one with a lot of experimental revoked configuration references?

OpenVPN configuration files are generated , so they do not exists, on filesystem.
OpenSSL user cert/key/pem/crl files can be removed only once you correctly revoke them and re-verify remaining ones (including the changes in index.txt, notes.tst, index.txt.attr, serial)).

In general CA is keeping track of all certificates issued by that CA. So i would not recommend any manual operations in /etc/ssl/ca/openvpn folder unles you really know what you are doing. From my point of view it is easier and faster to reset the whole CA.

As for FORIS i don’t think there will be any “delete” button in the future, maybe they will change the list a bit, so it is not confusing users with expired/revoked certs (provide “Generate” button only for “valid” ones…

EDIT: some reading


1 Like

Ouchy, that sounds error-prone indeed!

Regarding a possible change in the GUI (as deletion seems difficult); Simply changing the presentation order would suffice (presenting the revoked ones grouped at the bottom for instance).

But yes… redoing all the configs by resetting the whole CA would require some work (e.g. bringing the new configs to the clients) but it is an option indeed (I have like 12 active configs and about 8 revoked ones, so it is still doable to reset/restart).

1 Like