How To Successfully Revoke An OpenVPN Certificate

The other day I was asked to revoke a OpenVPN certificate, though to my surprise, there is more needed to be done than just a simple
./revoke-all CertificateName

So here is how to do it properly:

1) Navigate to /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

2) run . ./vars

. ./vars

3) revoke the certificate

./revoke-full CertificateName

4) Move crl.pem located in keys directory to the OpenVpn’s directory

mv /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/

5) make sure the certificate is revoked – check index.txt in keys, there should be a “R” in the first column right next to revoked certificate

nano /etc/openvpn/easy-rsa/keys/index.txt

6) restart or stop & start the OpenVPN server for immediate effect

/etc/init.d/openvpn stop

/etc/init.d/openvpn start

7) As always… Profit! 🙂