Revoke/Unrevoke a client certificate in OpenVPN


To revoke the access of a client, the first method will be to use the Client Revocation List. For that, goto easy_rsa directory & execute (where cname is the one which you want to disable)

./revoke-all cname

Then copy the file crl.pem created in keys folder to the /etc/openvpn/ folder. Finally, edit the server.conf & add the following line.

crl-verify crl.pem

The above file is append-only file & re-read every time a client connects to the server so there is no need to restart the server next time you overwrite the file.


Now coming on the un-revoking part, I tried asking the above question on serverfault & came to know that un-revoking of certificate should generally not be done.

But, even then if you want to do that I will quote the guy:

in your CA folder, there should be an index.txt, with certificate IDs in it. The ones starting with «V» are valid, and ones with «R» are revoked. You can edit that file, and fix the first char to «V», and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc).
Then you just need to regenerate the CRL again, and it should work.

To regenerate the CRL file again, execute the following two commands in the easy_rsa directory:

source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"'

A better way of dealing with a situation of temporarily enabling/disabling access of a user to a openvpn server is using a customtsl-verify script.

Download either the bash version or the python version of the script & move the file to /etc/openvpn/bin/ folder. Then add the following two lines at the end of server.conf file.

script-security 3 system
tls-verify "/etc/openvpn/bin/ /etc/openvpn/userlist.txt"

If you miss the first line (it was not documented in the above link), the script will fail to run. The userlist.txt file will contain the CN names (or the regex) of the certificates. To revoke access of a client, simply add a «#» to the beginning of the name or delete the line.

# ovpnCNcheck — an OpenVPN tls-verify script
# «»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
# This script checks if the peer is in the allowed
# user list by checking the CN (common name) of the
# X509 certificate against a provided text file.
# For example in OpenVPN, you could use the directive
# (as one line):
# tls-verify «/usr/local/sbin/
# /etc/openvpn/userlist.txt»
# This would cause the connection to be dropped unless
# the client common name is within the userlist.txt.
# Special care has been taken to ensure that this script
# also works on openwrt systems where only busybox is
# available
# Written by Robert Penz <> under the GPL 2
# Parts are copied from the verify-cn sample OpenVPN
# tls-verify script.
[ $# -eq 3 ] || { echo usage: userfile certificate_depth X509_NAME_oneline ; exit 255 ; }

# $2 -> certificate_depth
if [ $2 -eq 0 ] ; then
# $3 -> X509_NAME_oneline
# $1 -> cn we are looking for
grep -q «^`expr match «$3» «.*/CN=\([^/][^/]*\)»`$» «$1» && exit 0
exit 1

exit 0

Добавить комментарий

Этот сайт использует Akismet для борьбы со спамом. Узнайте, как обрабатываются ваши данные комментариев.