Menu
▾
▴
Re: [Openvpn-users] easy-rsa keys folder - thousands of pem files?!?
|
From: Tim N. <tn...@ro...> - 2010-08-09 17:59:45
|
----- "Jan Just Keijser" <ja...@ni...> wrote: > Tim Nelson wrote: > > ----- "Jan Just Keijser" <ja...@ni...> wrote: > > > >> Hi Tim, > >> > >> Tim Nelson wrote: > >> > >>> Greetings fellow OpenVPN'ers- > >>> > >>> I have a few OpenVPN installations that use the easy-rsa scripts > for > >>> > >> key creation/management. On one installation, the keys folder is > just > >> *FULL* of xxxxxx.pem files(01101D.pem for example) . A quick 'ls > -1 > >> |wc -l' shows the keys folder contains 409930 files. The number of > >> keys on this particular installation is around 400 or so which > >> accounts for roughly 1200 of the files (crt, csr, key). Why are > there > >> so many .pem files present? I have to believe that this number is > a > >> bit high... > >> > >>> > >>> > >> I would be very very wary of this directory and of its keys until > you > >> > >> find a good explanation ... > >> Each pem file is a signed certificate, signed by the CA. > >> what is the subject and whatis the issuer of one of these pem > files? > >> you > >> can query the files using > >> openssl x509 -subject -issuer -noout -in 011010D.pem > >> > >> for each crt there will be a copy of named <serial>.pem; if a > >> certificate with a subject has been issues multiple times (e.g. > after > >> > >> renewal, revocation) then you will still have a single .crt file > yet > >> multipe .pem files. That still would not explain the 400,000 files > for > >> > >> 400 certs. > >> > >> HTH, > >> > > > > This is *VERY* helpful! It appears some poor coding in the key > management system (run from cron) was creating keys/PEMs for system > files that were inadvertently passed as arguments... Ugh. > > > > If a PEM file has a CN that does not belong to a valid cert, is it > safe to remove that PEM since it's tied to an invalid cert/key pair > that doesn't exist? > > > yes in that case you can remove the file, but make absolutely sure > that > it has not been handed out as a certificate - once removed you can no > > longer revoke a certificate (without re-instating the file). > Just a followup to this... if I remove the unneeded PEM's, do I also need to update the 'index.txt' file? It appears to have a complete listing of the certificates, time/dates, etc. Thanks! --Tim |
