OpenVPN Server CRL


#1

I have an OpenVPN server installed and running. I was looking into having it check a CRL so that I can revoke certificates if needed. I can create the CRL, but I can seem to get OpenVPN to check it. I feel like i'm not configuring it correctly. I tried adding the line below to the config, but it doesn't seem to make a difference. Is the option different? Is there a different place I need to set it?

option crl-verify '/etc/openvpn/crl.pem'


#2

Location shouldn't matter, as long as it is defined in the configuration and readable by all, as openvpn drops root privileges.
How did you try to test? There was a user that was working, you revoked his certificate and now is still working, while he shouldn't?


#3

If it is working properly you should see messages like the following in the logs

Thu Jan  4 16:30:41 2018 daemon.notice openvpn(custom_config)[20897]: 192.168.0.1:61077 CRL CHECK OK: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=client1, name=client1, emailAddress=client1@wcsvrlvajsjprxz.com
Thu Jan  4 16:30:41 2018 daemon.notice openvpn(custom_config)[20897]: 192.168.0.1:61077 VERIFY OK: depth=0, C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=client1, name=client1, emailAddress=client1@wcsvrlvajsjprxz.com

Or

Thu Jan  4 16:36:02 2018 daemon.notice openvpn(custom_config)[20897]: 192.168.0.1:65391 CRL CHECK FAILED: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=client1, name=client1, emailAddress=client1@wcsvrlvajsjprxz.com (serial 01) is REVOKED