Skip to content

Instantly share code, notes, and snippets.

@hron84
Last active July 9, 2020 21:10
Show Gist options
  • Save hron84/83a67e2842fb37a33dc8c68d1fdef1ef to your computer and use it in GitHub Desktop.
Save hron84/83a67e2842fb37a33dc8c68d1fdef1ef to your computer and use it in GitHub Desktop.
easy-rsa CRL regen

Easy-RSA CRL Regenerator

This script helps to regenerate CRL whenever is expires. Copy it into the Easy-RSA root, e.g. /etc/openvpn/easy-rsa and use it like the all other Easy-RSA scripts:

# source vars
# ./regen-crl

To run it automagically at every day, just put this into /etc/cron.daily:

#!/bin/bash

cd /etc/openvpn/easy-rsa
source vars
./regen-crl

And that's all!

Licensing

This script and its documentation is licensed under the terms of Creative Commons BY-SA 4.0 license.

Copyright © Gabor Garami 2020

#!/bin/sh
## Copyright (c) Gabor Garami 2020
CRL="crl.pem"
RT="revoke-test.pem"
if [ "$KEY_DIR" ]; then
cd "$KEY_DIR"
rm "$RT"
export KEY_CN=""
export KEY_OU=""
export KEY_NAME=""
# required due to hack in openssl.cnf that supports Subject Alternative Names
export KEY_ALTNAMES=""
# generate a new CRL -- try to be compatible with
# intermediate PKIs
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
if [ -e export-ca.crt ]; then
cat export-ca.crt "$CRL" >"$RT"
else
cat ca.crt "$CRL" >"$RT"
fi
else
echo 'Please source the vars script first (i.e. "source ./vars")'
echo 'Make sure you have edited it to reflect your configuration.'
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment