Openvpn revoke / unrevoke certificates
REVOKING
Sometimes You need to revoke access of a client in openvpn. The simpliest way to do this is to revoke certificate. Revoking certificate is almost as simple as clicking enter on a keyboard. To revoke certifikate just go to Your easy_rsa directory and enter following:
source ./vars
./revoke-all [certificate name]
UNREVOKING
Sometimes You need to revoke access of a client in openvpn only temporarily. Revoking access is done in the same way as above. But we need to unrevoke access. Here are the steps to do this.
First of all You need to go to Your easy_rsa directory (or where do You keep Your keys). You will find there index.txt file. Open it with Your favourite text editor. You will find there index of all certificates. Some lines begins with R and some with V. The ones that begins with R are pointing to revoked certificates. To unrevoke certificate just change R to V at the beggining of the line, and remove third column. After that just do:
source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"
After that client should connect to openvpn with no problem.
If You have any questions please leave a comment. I will answer asap.
Hi,
I have a problem after running the following command
openssl ca -gencrl -out “crl.pem” -config “$KEY_CONFIG”
error
Using configuration from /home/easy-rsa/openssl-1.0.0.cnf
error on line 144 of config file ‘/home/easy-rsa/openssl-1.0.0.cnf’
140069673105224:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 144
I have the same error. Were you able to resolve the issue?
same error here. Anyone able to resolve it ?
No sorry I haven’t seen this error. Maybe someone else can help?
Hello, ben. I was able to do this by following some steps as they described in ‘revoke-full’ script. Try to run this commands before openssl ca -gencrl….:
# set defaults
export KEY_CN=””
export KEY_OU=””
export KEY_NAME=””
# required due to hack in openssl.cnf that supports Subject Alternative Names
export KEY_ALTNAMES=””
It was enough for me to get it working.
i need script of revoking the user certificate, Below script while revoke all user’s certificates. pls help
#!/bin/bash
keys_index_file=/usr/share/easy-rsa/keys/index.txt
fileline=”$(grep “/CN=$1/” $keys_index_file)”
columns_number=”$(echo $fileline | awk -F’ ‘ ‘{print NF;}’)”
if [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then
source /usr/share/easy-rsa/vars
/usr/share/easy-rsa/revoke-full $1
{
sleep 3
echo kill $1
sleep 3
echo exit
} | telnet localhost 7505
echo “Client certificate revoked successfully.”
exit 0;
elif [[ $columns_number -eq 6 ]] && [[ $fileline == R* ]]; then
echo “Client certificate is already revoked.”
exit 0;
else
echo “Error; key index file may be corrupted.”
exit 1;
fi
Below Script Will Revoke all user’s certificate, Please help me with the script with specific or prompt the user while revoking
#!/bin/bash
keys_index_file=/usr/share/easy-rsa/keys/index.txt
fileline=”$(grep “/CN=$1/” $keys_index_file)”
columns_number=”$(echo $fileline | awk -F’ ‘ ‘{print NF;}’)”
if [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then
source /usr/share/easy-rsa/vars
/usr/share/easy-rsa/revoke-full $1
{
sleep 3
echo kill $1
sleep 3
echo exit
} | telnet localhost 7505
echo “Client certificate revoked successfully.”
exit 0;
elif [[ $columns_number -eq 6 ]] && [[ $fileline == R* ]]; then
echo “Client certificate is already revoked.”
exit 0;
else
echo “Error; key index file may be corrupted.”
exit 1;
fi
Hey, stumbled here when using this command for OpenVPN. When you delete the third row, make SURE to use tabs and not spaces.
In VIM, enter “:set list” to check the unprintable characters and make sure “expandtab” is not active.