Due to a variety of circumstances out of my control, I found it necessary to control access to an OpenVPN server without depending on a certificate revocation list. After some effort, I discovered a way to execute a script that can check the common name of the client certificate and use the return code to authorize the connection.
First, create a whitelist file. One CN per line. For example, let’s say you have three openvpn clients:
Second, create a verify-cn script. Here’s mine:
Then add the following to openvpn.conf:
I’m not sure this should be a primary means of security. However, it could be useful in cases like mine where the crl was not sufficient.
It is useful in addition to a crl because a crl is a blacklist, while this is a whitelist. If it’s possible that some keys have been created that you may not be aware of, this might prevent them from slipping through.