Why didn't Client VPN revoke the users that I specified my CRL?

2 minute read

I revoked a certificate, generated a certificate revocation list (CRL), and then imported the CRL to AWS Client VPN. I completed these steps to revoke access for specific users. However, Client VPN didn't revoke the specified users.

Short description

To revoke access, you must use the same certificate authority (CA) that you used to generate the user certificate. Also, you must run the following commands to revoke your certificate and generate the CRL:

$ ./easyrsa revoke revoked.learnaws.local

$ ./easyrsa gen-crl

After you meet these criteria, complete the following steps to troubleshoot.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

1. Use the AWS CLI to export the CRL. Then, save the CRL as a crl.pem file. Remove the STATUS at the end of the command output.

$ aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id cvpn-endpoint-07ff8ba3d5d3b5188 --output text --region eu-central-1

2. Create a .pem file for the CA with the .crt and .key files:

$ openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12
$ openssl pkcs12 -in ca.p12 -nodes -out ca.pem

3. Create a .pem file for the user certificate that you want to revoke: 

$ openssl pkcs12 -export -in revoked.learnaws.local.crt -inkey revoked.learnaws.local.key -out revoked.learnaws.local.p12
$ openssl pkcs12 -in revoked.learnaws.local.p12 -nodes -out revoked.learnaws.local.pem

4. Link the ca and crl .pem files with the cat command:

$ cat ca.pem crl.pem > crl_ca.pem

5. Verify the revocation.

The expected output is error 23 at 0 depth lookup:certificate revoked. If the output is OK, then Client VPN didn't revoke the user certificate. 

Example output:

$ openssl verify -crl_check -CAfile crl_ca.pem revoked.learnaws.local.pem
revoked.learnaws.local.pem: CN = revoked.learnaws.local
error 23 at 0 depth lookup:certificate revoked


Check the output for the user certificate's serial number. If the serial number is in the CRL, then Client VPN revoked the certificate.

To find the user certificate serial number, run this command:

$ openssl x509 -in revoked.learnaws.local.crt -noout -serial

To check if the serial number is in the CRL, run this command:

client cert: CN=abc.corp.xyz.com, "CertificateArn": "arn:aws:acm:us-east-1:xxxx:certificate/xxxxx-f692-4026-b26f-cfb361cf1b66", "Serial": "b5:99:e8:b9:5d:39:85:5f:8e:a9:b9:2c:10:9f:8b:c3"

$ cd /home/ec2-user/easy-rsa/easyrsa3/pki$ openssl crl -in crl.pem -text -noout | grep B599E8B95D39855F8EA9B92C109F8BC3
AWS OFFICIALUpdated 9 months ago