Generate an AWS Client VPN client certificate revocation list - AWS Client VPN
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Generate an AWS Client VPN client certificate revocation list

You can generate a Client VPN certificate revocation list on either a Linux/macOS or Windows operating system. The revocation list is used to revoke access to a Client VPN endpoint for specific certificates. For more information about client certificate revocation lists, see Client certificate revocation lists.

Linux/macOS

In the following procedure, you generate a client certificate revocation list using the OpenVPN easy-rsa command line utility.

To generate a client certificate revocation list using OpenVPN easy-rsa

  1. Log on to the server hosting the easyrsa installation used to generate the certificate.

  2. Navigate into the easy-rsa/easyrsa3 folder in your local repo.

    $ cd easy-rsa/easyrsa3

  3. Revoke the client certificate and generate the client revocation list.

    $ ./easyrsa revoke client1.domain.tld
$ ./easyrsa gen-crl

    Enter yes when prompted.

Windows

The following procedure uses the OpenVPN software to generate a client revocation list. It assumes that you followed the steps for using the OpenVPN software to generate the client and server certificates and keys.

To generate a client certificate revocation list using EasyRSA version 3.x.x

  1. Open a command prompt and navigate to the EasyRSA-3.x.x directory, which will depend on where it is installed on your system.

    C:\> cd c:\Users\windows\EasyRSA-3.x.x

  2. Run the EasyRSA-Start.bat file to start the EasyRSA shell.

    C:\> .\EasyRSA-Start.bat

  3. In the EasyRSA shell, revoke the client certificate.

    # ./easyrsa revoke client_certificate_name

  4. Enter yes when prompted.

  5. Generate the client revocation list.

    # ./easyrsa gen-crl

  6. The client revocation list will be created in the following location:

    c:\Users\windows\EasyRSA-3.x.x\pki\crl.pem
To generate a client certificate revocation list using previous EasyRSA versions

  1. Open a command prompt and navigate to the OpenVPN directory.

    C:\> cd \Program Files\OpenVPN\easy-rsa

  2. Run the vars.bat file.

    C:\> vars

  3. Revoke the client certificate and generate the client revocation list.

    C:\> revoke-full client_certificate_name
C:\> more crl.pem