In this blog article we are going to discuss about How to revoke openvpn issued certificates. We are testing this option in a Windows machine but we can also use the same procedure on a Linux box too. In our case we use easy rsa 3 scripts to revoke SSL/TLS certificate of OpenVPN service.

First of all Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for openvpn client authentication purposes.

Typical reasons for wanting to revoke a certificate include

  • The private key associated with the certificate is compromised or stolen.
  • The user of an encrypted private key forgets the password on the key.
  • You want to terminate a VPN user’s access.

First thing is login to the OpenVPN server where typically the openvpn client certificates got generated and signed with CA certificate.

Now Open the windows command prompt and go the directory “C:\Program Files\OpenVPN\easy-rsa”. After that Launch EasyRSA shell. For that issue below commands.

Copy to Clipboard

Attached a screenshot for reference.

Now to show the details of the client certificate that we currently use can be get by issuing below command.

In this command replace the client field with your own client certificate name.

Copy to Clipboard

Attached a screenshot for reference. and from the screen we can see the details of the client certificate we issued.

Now try to connect to your own OpenVPN server using this client certificate and make sure the connection is successful. So this means that right now our openVPN client certificate is valid and can use this certificate for openVPN authentication from client side.

Now lets see how this already using OpenVPN client certificate can be revoked.

For that from the easy-rsa shell itself. Issue below command. Here replace the client name with your own client certificate name.

Copy to Clipboard

Type “yes” and hit enter to confirm the revocation. Wait until the command execution completes. Once completed we will see the message as Revocation was successful. The revoke command script will generate a CRL (certificate revocation list) file called crl.pem under the directory C:/Program Files/OpenVPN/easy-rsa/pki/ .

Attached a screenshot for reference.

Now To create an updated CRL that contains all revoked certs up to that point issue the below command.

Copy to Clipboard

You will see a message as An updated CRL has been created with CRL file location as C:/Program Files/OpenVPN/easy-rsa/pki/crl.pem

Attached a screenshot for reference.

After generation of updated “crl.pem” file, the next step is we need CRL verification should be enabled in the openVPN server configuration file. Then only all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped from OpenVPN server side.

So open the file named “server.ovpn” under the directory “C:\Program Files\OpenVPN\config” using any text editor. here I used notepad and from the screen you can see I already opened the file.

In that I added the line crl-verify “C:\\Program Files\\OpenVPN\\easy-rsa\\pki\\crl.pem” after the tls-auth line. Save the content and exit from the text editor.

Attached a screenshot for reference.

When the crl-verify option is used in OpenVPN, the CRL file will be re-read any time a new client connects or an existing client renegotiates the SSL/TLS connection (by default once per hour). This means that you can update the CRL file while the OpenVPN server daemon is running, and have the new CRL take effect immediately for newly connecting clients.

For immediate testing, we can stop the openVPN server service and starting it again.

This completes the openVPN SSL/TLS client certificate revoke procedure. Now lets test it out. For that go to the OpenVPN client PC again where this revoke client certificate using and try to connect to the OpenVPN again. The client will try to connect for a while and it will get failed.

In the mean  time if we look at the openVPN  server log, we will see message like ” VERIFY ERROR: depth=0, error=certificate revoked: CN=CLIENT ”

Attached a screenshot for reference.


So In this blog article we discussed how to revoke the openVPN certificates using easy-rsa scripts. I hope this article is informative. Leave your thoughts at the comment box.

Share This Story, Choose Your Platform!