Openvpn easy-rsa certificate revoke howto
From thelinuxwiki
steps to revoke
First open up a shell or command prompt window and cd to the easy-rsa directory. Then run:
source ./vars revoke-full <Cert Common Name> cp ./keys/crl.pem /path/to/openvpn/direcory chmod 777 /path/to/openvpn/direcory/crl.pem
You should see output similar to this:
Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Revoking Certificate 04. Data Base Updated Using configuration from /root/openvpn/20/openvpn/tmp/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" client2.crt: /C=KG/ST=NA/O=OpenVPN-TEST/CN=client2/emailAddress=me@myhost.mydomain error 23 at 0 depth lookup:certificate revoked Note the "error 23" in the last line. That is what you want to see, as it indicates that a certificate verification of the revoked certificate failed.
The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
Add line to conf file.
crl-verify crl.pem
Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.
Logging for CRL failures
syslog message for a client trying to use a revoke certificate
CRL CHECK FAILED: /C=US/ST=MI/L=somewhereville/O=example.com/OU=finance/CN=john_doe/emailAddress=john_doe@example.com is REVOKED
Resources
info here was taken from...
http://openvpn.net/index.php/open-source/documentation/howto.html