How do I list all existing open vpn certificates

Question

I need to know how to view existing certificates in OpenVPN, the internal documentation passed me (written by a past employer) contains creating, removing, retrieving and revoking user, see below

/etc/openvpn/getclient.sh

/etc/openvpn/revokeclient.sh

rm /etc/openvpn/easy-rsa/3.0.6/pki/private/.key

rm /etc/openvpn/easy-rsa/3.0.6/pki/reqs/.req

rm /etc/openvpn/easy-rsa/3.0.6/pki/issued/.crt

A record of existing certificates has never been maintained so suspect that is a large number that can now be deleted.

If anyone can point me in the right direction I would be extremely grateful.

Answer 1

You can't know.

A certificate is signed by the Certificate Authority (CA), but it should not be stored by anyone but the owner of the certificate. Furthermore, the CA need not even be yours; you can trust external CA's if you want.

Certificate issuance is totally offline and there is no central repository of certificates - the security stems from the fact that it's impossible to forge the signature, so there's no need for a central repository - which also gives flexibility.

Furthermore, you cannot delete certificates. You can revoke them, marking them as invalid. But as they can be stored on other systems, there's no way you can delete them.

As you effectively have no idea of what's been issued and not, I would start over at this point, reissuing certificates. I would suggest that you use some sort of directory, such as FreeIPA or Active Directory to keep track of and automatically issue and rotate certificates.

Answer 2

ls -ltr /etc/openvpn/clients/

For client certificates

You can also cat them all if you want to view the contents

cat /etc/openvpn/clients/*.crt

For the server certificates

cat /etc/openvpn/server.crt

Or using openssl

For client certificates

openssl x509 -in /etc/openvpn/clients/*.crt -text

For the server certificates

openssl x509 -in /etc/openvpn/server.crt -text