Menu
▾
▴
Re: [Openvpn-users] easy-rsa keys folder - thousands of pem files?!?
|
From: Spook ZA <sp...@gm...> - 2010-08-10 08:31:21
|
Hi. Just my paranoid 2c worth ;) Would it not be safer to write a quick script to revoke the unused certificates before deleting them (just for safety sake)? Regards, Andy. On 10 August 2010 10:20, Jan Just Keijser <ja...@ni...> wrote: > > Tim Nelson wrote: > > ----- "Jan Just Keijser" <ja...@ni...> wrote: > > > >> Tim Nelson wrote: > >> > >>> ----- "Jan Just Keijser" <ja...@ni...> wrote: > >>> > >>> > >>>> Hi Tim, > >>>> > >>>> Tim Nelson wrote: > >>>> > >>>> > >>>>> Greetings fellow OpenVPN'ers- > >>>>> > >>>>> I have a few OpenVPN installations that use the easy-rsa scripts > >>>>> > >> for > >> > >>>>> > >>>>> > >>>> key creation/management. On one installation, the keys folder is > >>>> > >> just > >> > >>>> *FULL* of xxxxxx.pem files(01101D.pem for example) . A quick 'ls > >>>> > >> -1 > >> > >>>> |wc -l' shows the keys folder contains 409930 files. The number of > >>>> keys on this particular installation is around 400 or so which > >>>> accounts for roughly 1200 of the files (crt, csr, key). Why are > >>>> > >> there > >> > >>>> so many .pem files present? I have to believe that this number is > >>>> > >> a > >> > >>>> bit high... > >>>> > >>>> > >>>>> > >>>>> > >>>>> > >>>> I would be very very wary of this directory and of its keys until > >>>> > >> you > >> > >>>> find a good explanation ... > >>>> Each pem file is a signed certificate, signed by the CA. > >>>> what is the subject and whatis the issuer of one of these pem > >>>> > >> files? > >> > >>>> you > >>>> can query the files using > >>>> openssl x509 -subject -issuer -noout -in 011010D.pem > >>>> > >>>> for each crt there will be a copy of named <serial>.pem; if a > >>>> certificate with a subject has been issues multiple times (e.g. > >>>> > >> after > >> > >>>> renewal, revocation) then you will still have a single .crt file > >>>> > >> yet > >> > >>>> multipe .pem files. That still would not explain the 400,000 files > >>>> > >> for > >> > >>>> 400 certs. > >>>> > >>>> HTH, > >>>> > >>>> > >>> This is *VERY* helpful! It appears some poor coding in the key > >>> > >> management system (run from cron) was creating keys/PEMs for system > >> files that were inadvertently passed as arguments... Ugh. > >> > >>> If a PEM file has a CN that does not belong to a valid cert, is it > >>> > >> safe to remove that PEM since it's tied to an invalid cert/key pair > >> that doesn't exist? > >> > >>> > >>> > >> yes in that case you can remove the file, but make absolutely sure > >> that > >> it has not been handed out as a certificate - once removed you can no > >> > >> longer revoke a certificate (without re-instating the file). > >> > >> > > > > Just a followup to this... if I remove the unneeded PEM's, do I also need to update the 'index.txt' file? It appears to have a complete listing of the certificates, time/dates, etc. > > > > > I wouldn't touch the index.txt file unless you wish to re-use serial > numbers. the files index.txt and serial are linked to each other: if you > would update the index.txt file you probably will also have to update > the serial file - make backups before attempting anything and verify > that you can > - issue a new cert > - revoke a cert > before switching to the cleansed index.txt file. > > HTH, > > JJK |
