Last active
August 8, 2021 19:17
-
-
Save thanosa75/99d249e389b30c4fda8a297ba79c7fb0 to your computer and use it in GitHub Desktop.
Revoking a certificate for IPSEC vpn setups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Script to revoke a certificate from the IPSEC vpn lists from https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#revoke-a-client-certificate | |
# | |
# | |
if [ -z "$1" ]; then | |
echo "" | |
echo "" | |
echo "Use the script as follows: $0 <name of the user certificate>" | |
echo "" | |
echo "" | |
echo "" | |
echo "See list of active VPN client/cert users below:" | |
certutil -L -d sql:/etc/ipsec.d | |
else | |
echo "Revoking VPN certificate for user: " $1 | |
# list certificates in database | |
# certutil -L -d sql:/etc/ipsec.d | |
# get the serial number from the output and convert to decimal | |
SERIAL=$(certutil -L -d sql:/etc/ipsec.d -n $1 |grep -1 Serial | tail -1| awk '{print $1}'|tr -d ':') | |
if [ "$SERIAL" == "" ]; then | |
echo "Certificate for $1 not found. " | |
echo "" | |
echo "" | |
echo "Certificates in DB:" | |
certutil -L -d sql:/etc/ipsec.d | |
exit | |
fi | |
DECIMAL=$(( 16#$SERIAL )) | |
echo "Serial Number $SERIAL in decimal format is $DECIMAL" | |
echo "Press enter to revoke the cert or ctrl-c to abort" | |
read | |
# Create a new Certificate Revocation List (CRL) | |
if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null; then | |
crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null | |
fi | |
# remove a certificate from the CRL | |
DATE=$(date +%Y%m%d%H%M%SZ) | |
crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" <<EOF | |
addcert $DECIMAL $DATE | |
EOF | |
# force libreswan to read the updated list | |
ipsec crls | |
# delete user certificate | |
certutil -F -d sql:/etc/ipsec.d -n "$1" | |
certutil -D -d sql:/etc/ipsec.d -n "$1" 2>/dev/null | |
ipsec crls | |
echo "Current list of VPN clients" | |
certutil -L -d sql:/etc/ipsec.d | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment