KILLING BAD ACTORS
What happens when someone’s not behaving properly, and you want to remove their access to your server? The easy-rsa program enables you to revoke their access. Here’s how you do it.
The “/etc/easy-rsa/pki/index.txt” file is the “master database” of all your issued certificates. It will look something like this:
R 271031194324Z 180920101828Z 97913BB18DF2BACC70047EE8E8AF8E29 unknown /CN=bob
V 271031195653Z 082F05CAE53FEC2AB52DA56C044C5884 unknown /CN=sally
V 280206223922Z 180920100650Z C6DB4B3B0CC7D9EF94DF02E18444FC2B unknown /CN=joe
A V indicates a valid certificate, while means that the certificate has been revoked. You can find the common name of the certificates right at the end.
Let’s say that we want to remove Joe’s access. To revoke his certificate, you would run the following commands:
cd /etc/easy-rsa easyrsa revoke joe easyrsa gen-crl
If you look in “index.txt,” you’ll find there’s an on Joe’s line. The easyrsa gen-crl command updates the certificate revocation list located in the “crl.pem” file. Now copy “/etc/easy-rsa/pki/crl.pem” to “/etc/openvpn,” add crl-verify /etc/openvpn/crl.
pem to “/etc/openvpn/server.conf,” and restart your OpenVPN server. Remember, OpenVPN is now running as user nobody, so make sure “crl. pem” is world-readable. If you’ve previously put “crl-verify” into “server.conf,” all you need to do is copy over the updated “crl.pem” file.