How to Properly Revoke OpenVPN Certificates and Regenerate Them Without Connection Issues


2 views

Recently, I encountered a puzzling situation where OpenVPN clients could still connect even after I removed their certificate files from the server. This happened because I manually deleted entries from /etc/openvpn/easy-rsa/keys/index.txt instead of properly revoking the certificates.

Initially, I thought changing the status flag from 'V' to 'R' in index.txt would be sufficient. However, this approach has several flaws:

  • Missing revocation timestamp
  • No proper CRL (Certificate Revocation List) generation
  • Incomplete certificate status tracking

Here's the proper way to revoke certificates and prevent connections:

# Navigate to your easy-rsa directory
cd /etc/openvpn/easy-rsa/

# Source the vars file (same as when generating certificates)
source ./vars

# Revoke the certificate properly
./revoke-full client_name

After revocation, you can safely recreate certificates with the same CN:

# Generate new certificate with same name
./build-key client_name

# Verify the new certificate appears in index.txt
grep "/CN=client_name/" keys/index.txt

The key to making revocation work is ensuring your OpenVPN server checks the CRL. Add this to your server config:

crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

If clients can still connect after revocation:

  1. Verify CRL file exists and is updated
  2. Check server config includes crl-verify
  3. Restart OpenVPN server after changes
  4. Confirm timestamp in index.txt shows revocation date

For frequent certificate management, consider this bash script:

#!/bin/bash
# Revoke and regenerate certificate script

CLIENT_NAME=$1
EASY_RSA="/etc/openvpn/easy-rsa"

cd $EASY_RSA
source ./vars
./revoke-full $CLIENT_NAME
./build-key $CLIENT_NAME
systemctl restart openvpn@server

Remember to always use the proper easy-rsa tools rather than manual file edits to maintain certificate integrity.

Many OpenVPN administrators mistakenly believe that simply removing or modifying entries in index.txt will immediately revoke certificates. Here's why this approach fails:

# Example of problematic manual modification
V   220101010101Z    01    unknown /CN=client1

Changing the 'V' to 'R' without proper procedure leaves the certificate still valid because:

  • The Certificate Revocation List (CRL) isn't automatically updated
  • Missing revocation timestamps create validation gaps
  • OpenVPN server needs explicit CRL file loading

Here's the proper way to revoke certificates using easy-rsa:

# Navigate to your easy-rsa directory
cd /etc/openvpn/easy-rsa/

# Source the vars file (adjust for your environment)
source ./vars

# Revoke the specific certificate
./revoke-full client1

# Verify the updated index.txt
cat keys/index.txt

This creates proper revocation entries with timestamps:

R   220101010101Z   220202020202Z    01    unknown /CN=client1

After revocation, these actions are mandatory:

# Generate new CRL file
./build-crl

# Copy CRL to OpenVPN config directory
cp keys/crl.pem /etc/openvpn/

# Add to server.conf (if not present)
echo "crl-verify /etc/openvpn/crl.pem" >> /etc/openvpn/server.conf

# Restart OpenVPN service
systemctl restart openvpn@server

If clients still connect after revocation:

  • Verify crl-verify directive exists in server config
  • Check CRL file permissions (should be readable by OpenVPN user)
  • Confirm CRL file is being reloaded (add crl-verify /etc/openvpn/crl.pem to client config for testing)

When needing to recreate certificates with identical CNs:

# First revoke old certificate
./revoke-full client1

# Then generate new certificate
./build-key client1

# Verify new certificate appears in index.txt
grep "client1" keys/index.txt

Remember to always regenerate the CRL after certificate operations.