diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index c8095a8..7fd4481 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -9,6 +9,8 @@
* [使用辅助脚本](#使用辅助脚本)
* [手动在 VPN 服务器上配置 IKEv2](#手动在-vpn-服务器上配置-ikev2)
* [配置 IKEv2 VPN 客户端](#配置-ikev2-vpn-客户端)
+* [添加一个客户端证书](#添加一个客户端证书)
+* [吊销一个客户端证书](#吊销一个客户端证书)
* [已知问题](#已知问题)
* [参考链接](#参考链接)
@@ -25,7 +27,7 @@ Libreswan 支持通过使用 RSA 签名算法的 X.509 Machine Certificates 来
## 使用辅助脚本
-**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。Docker 用户请看 这里。
+**重要:** 作为使用本指南的先决条件,在继续之前,你必须确保你已经成功地 搭建自己的 VPN 服务器,并且(可选但推荐)将 Libreswan 升级 到最新版本。**Docker 用户请看 这里**。
你可以使用这个辅助脚本来自动地在 VPN 服务器上配置 IKEv2:
@@ -225,7 +227,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
vpnclient u,u,u
```
- **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要删除一个证书,将 `-L` 换成 `-D`。更多的 `certutil` 使用说明请看 这里。
+ **注:** 如需显示证书内容,可使用 `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`。要吊销一个客户端证书,请转到[这一节](#吊销一个客户端证书)。关于 `certutil` 的其它用法参见 这里。
1. **(重要)重启 IPsec 服务**:
@@ -337,6 +339,96 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
连接成功后,你可以到 这里 检测你的 IP 地址,应该显示为`你的 VPN 服务器 IP`。
+## 添加一个客户端证书
+
+如果要为更多的客户端生成证书,只需重新运行 [辅助脚本](#使用辅助脚本)。或者你可以看 [这一小节](#手动在-vpn-服务器上配置-ikev2) 的第 4 步。
+
+## 吊销一个客户端证书
+
+在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。这可以通过 `crlutil` 实现。下面举例说明,这些命令必须用 `root` 账户运行。
+
+1. 检查证书数据库,并且找到想要吊销的客户端证书的昵称。
+
+ ```bash
+ certutil -L -d sql:/etc/ipsec.d
+ ```
+
+ ```
+ Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+ IKEv2 VPN CA CTu,u,u
+ ($PUBLIC_IP) u,u,u
+ vpnclient-to-revoke u,u,u
+ ```
+
+ 在这个例子中,我们将要吊销昵称为 `vpnclient-to-revoke` 的客户端证书。它是由 `IKEv2 VPN CA` 签发的。
+
+1. 找到该客户端证书的序列号。
+
+ ```bash
+ certutil -L -d sql:/etc/ipsec.d -n "vpnclient-to-revoke"
+ ```
+
+ ```
+ Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 00:cd:69:ff:74
+ ... ...
+ ```
+
+ 根据上面的输出,我们知道该序列号为十六进制的 `CD69FF74`,也就是十进制的 `3446275956`。它将在以下步骤中使用。
+
+1. 创建一个新的证书吊销列表 (CRL)。该步骤对于每个 CA 只需运行一次。
+
+ ```bash
+ if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null; then
+ crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null
+ fi
+ ```
+
+ ```
+ CRL Info:
+ :
+ Version: 2 (0x1)
+ Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
+ Issuer: "O=IKEv2 VPN,CN=IKEv2 VPN CA"
+ This Update: Sat Jun 06 22:00:00 2020
+ CRL Extensions:
+ ```
+
+1. 将你想要吊销的客户端证书添加到 CRL。在这里我们指定该证书的(十进制)序列号,以及吊销时间(UTC时间,格式:GeneralizedTime (YYYYMMDDhhmmssZ))。
+
+ ```bash
+ crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" <这里。
+
+1. 最后,让 Libreswan 重新读取已更新的 CRL。
+
+ ```bash
+ ipsec crls
+ ```
+
## 已知问题
1. Windows 自带的 VPN 客户端可能不支持 IKEv2 fragmentation。在有些网络上,这可能会导致连接错误或其它连接问题。你可以尝试换用 IPsec/L2TP 或 IPsec/XAuth 模式。
@@ -351,3 +443,5 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
* https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
+* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
+* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index ac6e8f1..cadf509 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -9,6 +9,8 @@
* [Using helper scripts](#using-helper-scripts)
* [Manually set up IKEv2 on the VPN server](#manually-set-up-ikev2-on-the-vpn-server)
* [Configure IKEv2 VPN clients](#configure-ikev2-vpn-clients)
+* [Add a client certificate](#add-a-client-certificate)
+* [Revoke a client certificate](#revoke-a-client-certificate)
* [Known issues](#known-issues)
* [References](#references)
@@ -25,7 +27,7 @@ Libreswan can authenticate IKEv2 clients on the basis of X.509 Machine Certifica
## Using helper scripts
-**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. Docker users, see here.
+**Important:** As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own VPN server, and (optional but recommended) upgraded Libreswan to the latest version. **Docker users, see here**.
You may use this helper script to automatically set up IKEv2 on the VPN server:
@@ -33,7 +35,7 @@ You may use this helper script to automatically set up IKEv2 on the VPN server:
wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
```
-The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you wish to generate certificates for additional VPN clients, just run the script again.
+The script must be run using `bash`, not `sh`. Follow the prompts to set up IKEv2. When finished, continue to [configure IKEv2 VPN clients](#configure-ikev2-vpn-clients) and check [known issues](#known-issues). If you want to generate certificates for additional VPN clients, just run the script again.
## Manually set up IKEv2 on the VPN server
@@ -225,7 +227,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
vpnclient u,u,u
```
- **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To delete a certificate, replace `-L` with `-D`. For other `certutil` usage, read this page.
+ **Note:** To display a certificate, use `certutil -L -d sql:/etc/ipsec.d -n "Nickname"`. To revoke a client certificate, follow [these steps](#revoke-a-client-certificate). For other `certutil` usage, read here.
1. **(Important) Restart the IPsec service**:
@@ -239,7 +241,7 @@ Before continuing, you **must** restart the IPsec service. The IKEv2 setup on th
*Read this in other languages: [English](ikev2-howto.md#configure-ikev2-vpn-clients), [简体中文](ikev2-howto-zh.md#配置-ikev2-vpn-客户端).*
-**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you wish to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in the previous section.
+**Note:** If you specified the server's DNS name (instead of its IP address) in step 1 above, you must enter the DNS name in the **Server** and **Remote ID** fields. If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in the previous section.
* [Windows 7, 8.x and 10](#windows-7-8x-and-10)
* [OS X (macOS)](#os-x-macos)
@@ -337,6 +339,96 @@ When finished, check to make sure both `vpnclient` and `IKEv2 VPN CA` are listed
Once successfully connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is `Your VPN Server IP`".
+## Add a client certificate
+
+If you want to generate certificates for additional VPN clients, just run the [helper script](#using-helper-scripts) again. Or you may refer to step 4 in [this section](#manually-set-up-ikev2-on-the-vpn-server).
+
+## Revoke a client certificate
+
+In certain circumstances, you may need to revoke a previously generated VPN client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`.
+
+1. Check the database, and identify the nickname of the client certificate you want to revoke.
+
+ ```bash
+ certutil -L -d sql:/etc/ipsec.d
+ ```
+
+ ```
+ Certificate Nickname Trust Attributes
+ SSL,S/MIME,JAR/XPI
+
+ IKEv2 VPN CA CTu,u,u
+ ($PUBLIC_IP) u,u,u
+ vpnclient-to-revoke u,u,u
+ ```
+
+ In this example, we will revoke the certificate with nickname `vpnclient-to-revoke`, issued by `IKEv2 VPN CA`.
+
+1. Find the serial number of this client certificate.
+
+ ```bash
+ certutil -L -d sql:/etc/ipsec.d -n "vpnclient-to-revoke"
+ ```
+
+ ```
+ Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 00:cd:69:ff:74
+ ... ...
+ ```
+
+ From the output, we see that the serial number is `CD69FF74` in hexadecimal, which is `3446275956` in decimal. It will be used in the next steps.
+
+1. Create a new Certificate Revocation List (CRL). You only need to do this once for each CA.
+
+ ```bash
+ if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null; then
+ crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null
+ fi
+ ```
+
+ ```
+ CRL Info:
+ :
+ Version: 2 (0x1)
+ Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
+ Issuer: "O=IKEv2 VPN,CN=IKEv2 VPN CA"
+ This Update: Sat Jun 06 22:00:00 2020
+ CRL Extensions:
+ ```
+
+1. Add the client certificate you want to revoke to the CRL. Here we specify the certificate's serial number in decimal, and the revocation time in GeneralizedTime format (YYYYMMDDhhmmssZ) in UTC.
+
+ ```bash
+ crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" <here.
+
+1. Finally, let Libreswan re-read the updated CRL.
+
+ ```bash
+ ipsec crls
+ ```
+
## Known issues
1. The built-in VPN client in Windows may not support IKEv2 fragmentation. On some networks, this can cause the connection to fail or have other issues. You may instead try the IPsec/L2TP or IPsec/XAuth mode.
@@ -351,3 +443,5 @@ Once successfully connected, you can verify that your traffic is being routed pr
* https://libreswan.org/man/ipsec.conf.5.html
* https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients
* https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVpnClient
+* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
+* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil