Menu
▾
▴
Re: [Openvpn-users] rookie mistake: deleted cert, now need to recreate
|
From: dave <de...@zi...> - 2009-05-02 02:03:18
|
> From: Dan Barber [mailto:db...@os...] ... > I've deleted the jdoe.cert, jdoe.csr and jdoe.key files and > now need to > recreate. When I go through the build-key script, it errors > out at the > end with a: > > failed to update database > TXT_DB error number 2 > > Too late, but now I know I need to revoke the certificate instead of > deleting it. When I try to revoke using ". ./vars; > ./revoke-full jdoe" > it gives me the following: > > > Using configuration from /etc/openvpn/easy-rsa/openssl.cnf > unable to load certificate > 12699:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE > Using configuration from /etc/openvpn/easy-rsa/openssl.cnf > unable to load certificate > 12702:error:0906D06C:PEM routines:PEM_read_bio:no start > line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE > > > Can anyone tell me how to fix this mess I've created? ... I'm assuming what you really want to do is revoke the certificate you have deleted (erroneously thinking that is revocation), and then potentially reissuing whatever that cert was (or maybe not). Here's a kooky idea: * look in index.txt to find the serial number of the certificate you deleted. * you probably still have the various *.pem versions of the certs, and didn't delete his certificate after all if you just deleted .crt .key .csr. * copy the relevant hh.pem file (where hh is hex serial number) to jdoe.crt * try to do your revoke again Provided the revocation stuff doesn't need any more than the cert you should be OK. The CRL is essentially a signed list of serial numbers. If that doesn't work then I have a more hideous idea... -Dave |
