Section: User Commands (1)
Return to Main Contents
- check blacklist of compromised keys
checks a key against a blacklist of compromised keys.
A substantial number of keys are known to have been generated using a broken
version of OpenSSL distributed by Debian which failed to seed its random
number generator correctly.
Keys generated using these OpenSSL versions should be assumed to be
This tool may be useful in checking for such OpenVPN shared static keys. See
for details on checking SSL/TLS certificates.
Keys that are compromised cannot be repaired; replacements must be generated
Shared keys can be regenerated with:
$ openvpn --genkey --secret file
The options are as follows:
outputs the fingerprint of each key scanned, with a description of its
This option suppresses that output.
BLACKLIST MD5SUM FORMAT
The blacklist file may start with comments, on lines starting with
After these initial comments, it must follow a strict format:
Each line must consist of the lower-case hexadecimal MD5 key fingerprint,
and with the first 12 characters removed (that is, the least significant 80
bits of the fingerprint).
The key fingerprint may be generated using
$ cat file.pem | sed '/^[^0-9a-f]/d' | md5sum | cut -d ' ' -f 1
This strict format is necessary to allow the blacklist file to be checked
An Jamie Strandboge Aq firstname.lastname@example.org
Much of this manpage is based on Colin Watson's
- BLACKLIST MD5SUM FORMAT
- SEE ALSO
This document was created by
using the manual pages.