Revoke/Unrevoke a client certificate in OpenVPN

Published: by

  • Categories:


To revoke the access of a client, the first method will be to use the Client Revocation List. For that, goto easy_rsa directory & execute (where cname is the one which you want to disable)

./revoke-all cname

Then copy the file crl.pem created in keys folder to the /etc/openvpn/ folder. Finally, edit the server.conf & add the following line.

crl-verify crl.pem

The above file is append-only file & re-read every time a client connects to the server so there is no need to restart the server next time you overwrite the file.


Now coming on the un-revoking part, I tried asking the above question on serverfault & came to know that un-revoking of certificate should generally not be done.

But, even then if you want to do that I will quote the guy:

in your CA folder, there should be an index.txt, with certificate IDs in it. The ones starting with "V" are valid, and ones with "R" are revoked. You can edit that file, and fix the first char to "V", and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc). Then you just need to regenerate the CRL again, and it should work.

To regenerate the CRL file again, execute the following two commands in the easy_rsa directory:

source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"'

A better way of dealing with a situation of temporarily enabling/disabling access of a user to a openvpn server is using a custom tsl-verify script.

Download either the bash version or the python version of the script & move the file to /etc/openvpn/bin/ folder. Then add the following two lines at the end of server.conf file.

script-security 3 system
tls-verify "/etc/openvpn/bin/ /etc/openvpn/userlist.txt"

If you miss the first line (it was not documented in the above link), the script will fail to run. The userlist.txt file will contain the CN names (or the regex) of the certificates. To revoke access of a client, simply add a "#" to the beginning of the name or delete the line.