Openvpn revoke / unrevoke certificates

REVOKING
Sometimes You need to revoke access of a client in openvpn. The simpliest way to do this is to revoke certificate. Revoking certificate is almost as simple as clicking enter on a keyboard. To revoke certifikate just go to Your easy_rsa directory and enter following:

source ./vars
./revoke-all [certificate name]

UNREVOKING
Sometimes You need to revoke access of a client in openvpn only temporarily. Revoking access is done in the same way as above. But we need to unrevoke access. Here are the steps to do this.
First of all You need to go to Your easy_rsa directory (or where do You keep Your keys). You will find there index.txt file. Open it with Your favourite text editor. You will find there index of all certificates. Some lines begins with R and some with V. The ones that begins with R are pointing to revoked certificates. To unrevoke certificate just change R to V at the beggining of the line, and remove third column. After that just do:

source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"

After that client should connect to openvpn with no problem.

If You have any questions please leave a comment. I will answer asap.

8 Comments on “Openvpn revoke / unrevoke certificates

  1. Hi,

    I have a problem after running the following command

    openssl ca -gencrl -out “crl.pem” -config “$KEY_CONFIG”

    error

    Using configuration from /home/easy-rsa/openssl-1.0.0.cnf
    error on line 144 of config file ‘/home/easy-rsa/openssl-1.0.0.cnf’
    140069673105224:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:618:line 144

    • Hello, ben. I was able to do this by following some steps as they described in ‘revoke-full’ script. Try to run this commands before openssl ca -gencrl….:

      # set defaults
      export KEY_CN=””
      export KEY_OU=””
      export KEY_NAME=””

      # required due to hack in openssl.cnf that supports Subject Alternative Names
      export KEY_ALTNAMES=””

      It was enough for me to get it working.

  2. i need script of revoking the user certificate, Below script while revoke all user’s certificates. pls help

    #!/bin/bash

    keys_index_file=/usr/share/easy-rsa/keys/index.txt
    fileline=”$(grep “/CN=$1/” $keys_index_file)”
    columns_number=”$(echo $fileline | awk -F’ ‘ ‘{print NF;}’)”

    if [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then

    source /usr/share/easy-rsa/vars
    /usr/share/easy-rsa/revoke-full $1

    {
    sleep 3
    echo kill $1
    sleep 3
    echo exit
    } | telnet localhost 7505

    echo “Client certificate revoked successfully.”
    exit 0;

    elif [[ $columns_number -eq 6 ]] && [[ $fileline == R* ]]; then

    echo “Client certificate is already revoked.”
    exit 0;

    else

    echo “Error; key index file may be corrupted.”
    exit 1;
    fi

  3. Below Script Will Revoke all user’s certificate, Please help me with the script with specific or prompt the user while revoking

    #!/bin/bash

    keys_index_file=/usr/share/easy-rsa/keys/index.txt
    fileline=”$(grep “/CN=$1/” $keys_index_file)”
    columns_number=”$(echo $fileline | awk -F’ ‘ ‘{print NF;}’)”

    if [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then

    source /usr/share/easy-rsa/vars
    /usr/share/easy-rsa/revoke-full $1

    {
    sleep 3
    echo kill $1
    sleep 3
    echo exit
    } | telnet localhost 7505

    echo “Client certificate revoked successfully.”
    exit 0;

    elif [[ $columns_number -eq 6 ]] && [[ $fileline == R* ]]; then

    echo “Client certificate is already revoked.”
    exit 0;

    else

    echo “Error; key index file may be corrupted.”
    exit 1;
    fi

  4. Hey, stumbled here when using this command for OpenVPN. When you delete the third row, make SURE to use tabs and not spaces.
    In VIM, enter “:set list” to check the unprintable characters and make sure “expandtab” is not active.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.