Wondering how to revoke Client VPN endpoint access for a specific client? We can help you.

As part of our Server Management Services, we assist our customers with several OpenVPN queries.

Today, let us see how our Support techs assist with this process.

How to revoke Client VPN endpoint access for a specific client?

Basically, blocking clients revokes their access to a Client VPN endpoint.

We can use certificate revocation lists to block specific client certificates.

To revoke a client certificate, follow below steps:

1. Firstly, generate a client certificate revocation list
2. Then, import a client certificate revocation list
3. (Optional) Export the client certificate revocation list

Today, let us see steps followed by our Support Techs in detail.

Generate a client certificate revocation list using OpenVPN easy-rsa

1.Firstly, clone the OpenVPN easy-rsa repository as a local repository on your local computer.

$ git clone https://github.com/OpenVPN/easy-rsa.git

2.Then, open the easy-rsa/easyrsa3 folder in your local repository.

$ cd easy-rsa/easyrsa3

3.Revoke the client certificate, and then generate the client revocation list.

$ ./easyrsa revoke client_certificate_name

Type yes when prompted.

$ ./easyrsa gen-crl
Using SSL: openssl OpenSSL 1.0.2g 1 Mar 2016
Using configuration from /home/easy-rsa/easyrsa3/pki/easy-rsa-31222.LsDpvT/tmp.t5FIi8
An updated CRL has been created.
CRL file: /home/easy-rsa/easyrsa3/pki/crl.pem

The certificate revocation list file is created at /easy-rsa/easyrsa3/pki/crl.pem.

Import the certificate revocation list file to the client certificate revocation list

After importing the certificate revocation list file to the client certificate revocation list, your client’s access to the Client VPN endpoint is permanently revoked.

1.Firstly, open the Amazon Virtual Private Cloud (Amazon VPC) console.

2.In the navigation pane, choose Client VPN Endpoints.

3.Then, select the Client VPN endpoint where you plan to import the client certificate revocation list.

4.Choose Actions, and then choose Import Client Certificate CRL.

5.Copy the contents of the client certificate revocation list file crl.pem.

$ cat pki/crl.pem
-----BEGIN X509 CRL-----
Base64–encoded certificate
-----END X509 CRL-----

6.For Certificate Revocation List, enter the content of the client certificate revocation list file. Then, choose Import CRL.

Or, you can import the client certificate revocation list using the AWS Command Line Interface (AWS CLI):

aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file:path_to_CRL_file --client-vpn-endpoint-id endpoint_id --region region

Export the client certificate revocation list

1.Firstly, open the Amazon VPC console.

2.In the navigation pane, choose Client VPN Endpoints.

3.Then, select the Client VPN endpoint from where you plan to export the client certificate revocation list.

4.Choose Actions, and then choose Export Client Certificate CRL.

5.Choose Yes, and then choose Export.

Or, you can export the client certificate revocation list using the AWS CLI:

aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id end

[Stuck in between? We’d be glad to assist you]

Conclusion

In short, today we saw steps followed by our Support Techs revoke Client VPN endpoint access for a specific client.