I have an OpenVPN server installed and running. I was looking into having it check a CRL so that I can revoke certificates if needed. I can create the CRL, but I can seem to get OpenVPN to check it. I feel like i'm not configuring it correctly. I tried adding the line below to the config, but it doesn't seem to make a difference. Is the option different? Is there a different place I need to set it?
option crl-verify '/etc/openvpn/crl.pem'
Location shouldn't matter, as long as it is defined in the configuration and readable by all, as openvpn drops root privileges.
How did you try to test? There was a user that was working, you revoked his certificate and now is still working, while he shouldn't?
If it is working properly you should see messages like the following in the logs
Thu Jan 4 16:30:41 2018 daemon.notice openvpn(custom_config)[20897]: 192.168.0.1:61077 CRL CHECK OK: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=client1, name=client1, emailAddress=client1@wcsvrlvajsjprxz.com
Thu Jan 4 16:30:41 2018 daemon.notice openvpn(custom_config)[20897]: 192.168.0.1:61077 VERIFY OK: depth=0, C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=client1, name=client1, emailAddress=client1@wcsvrlvajsjprxz.com
Or
Thu Jan 4 16:36:02 2018 daemon.notice openvpn(custom_config)[20897]: 192.168.0.1:65391 CRL CHECK FAILED: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=client1, name=client1, emailAddress=client1@wcsvrlvajsjprxz.com (serial 01) is REVOKED