Thursday, June 21, 2012

Revoke/Unrevoke a client certificate in OpenVPN


To revoke the access of a client, the first method will be to use the Client Revocation List. For that, goto easy_rsa directory & execute (where cname is the one which you want to disable)
./revoke-all cname
Then copy the file crl.pem created in keys folder to the /etc/openvpn/ folder. Finally, edit the server.conf & add the following line.
crl-verify crl.pem
The above file is append-only file & re-read every time a client connects to the server so there is no need to restart the server next time you overwrite the file.

Now coming on the un-revoking part, I tried asking the above question on serverfault & came to know that un-revoking of certificate should generally not be done.

But, even then if you want to do that I will quote the guy:
in your CA folder, there should be an index.txt, with certificate IDs in it. The ones starting with "V" are valid, and ones with "R" are revoked. You can edit that file, and fix the first char to "V", and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc).
Then you just need to regenerate the CRL again, and it should work.
To regenerate the CRL file again, execute the following two commands in the easy_rsa directory:
source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"'
A better way of dealing with a situation of temporarily enabling/disabling access of a user to a openvpn server is using a custom tsl-verify script.

Download either the bash version or the python version of the script & move the file to /etc/openvpn/bin/ folder. Then add the following two lines at the end of server.conf file.
script-security 3 system
tls-verify "/etc/openvpn/bin/ /etc/openvpn/userlist.txt"
If you miss the first line (it was not documented in the above link), the script will fail to run. The userlist.txt file will contain the CN names (or the regex) of the certificates. To revoke access of a client, simply add a "#" to the beginning of the name or delete the line.


  1. Thanks for providing valuable information.

    Here i am providing a dofollow forum which discusses on UNix/LINUX topics. Register and start discussions.Also you can get a backlink from this website.


  2. if the revoke command in Ubuntu fails read this...
    Also thanks for this info!

  3. Sebastian AntonsenJanuary 4, 2014 at 5:01 PM

    this line should be changed to this.
    openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"'
    openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"

  4. The tls-veriry-script worked 100%, thanks for the tip.

  5. Important note! a newline in the userlist.txt file will cause ALL clients to be accepted. If you use the above scripts (both .sh & .py), be sure to not leave any new lines at the end of the file.

  6. ^ this is in reference to the tls-verify scripts linked to at the end of the article.