Client certificate revocation lists - AWS Client VPN

Client certificate revocation lists

You can use client certificate revocation lists to revoke access to a Client VPN endpoint for specific client certificates.

Note

For more information about generating the server and client certificates and keys, see Mutual authentication

Generate a client certificate revocation list

Linux/macOS

In the following procedure, you generate a client certificate revocation list using the OpenVPN easy-rsa command line utility.

To generate a client certificate revocation list using OpenVPN easy-rsa

  1. Clone the OpenVPN easy-rsa repo to your local computer.

    $ git clone https://github.com/OpenVPN/easy-rsa.git
  2. Navigate into the easy-rsa/easyrsa3 folder in your local repo.

    $ cd easy-rsa/easyrsa3
  3. Revoke the client certificate and generate the client revocation list.

    $ ./easyrsa revoke client_certificate_name $ ./easyrsa gen-crl

    Type yes when prompted.

Windows

The following procedure uses the OpenVPN software to generate a client revocation list. It assumes that you followed the steps for using the OpenVPN software to generate the client and server certificates and keys.

To generate a client certificate revocation list

  1. Open a command prompt and navigate to the OpenVPN directory.

    C:\> cd \Program Files\OpenVPN\easy-rsa
  2. Run the vars.bat file.

    C:\> vars
  3. Revoke the client certificate and generate the client revocation list.

    C:\> revoke-full client_certificate_name C:\> more crl.pem

Import a client certificate revocation list

You must have a client certificate revocation list file to import. For more information about generating a client certificate revocation list, see Generate a client certificate revocation list.

You can import a client certificate revocation list using the console and the AWS CLI.

To import a client certificate revocation list (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint for which to import the client certificate revocation list.

  4. Choose Actions, and choose Import Client Certificate CRL.

  5. For Certificate Revocation List, enter the contents of the client certificate revocation list file, and choose Import CRL.

To import a client certificate revocation list (AWS CLI)

Use the import-client-vpn-client-certificate-revocation-list command.

$ aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file:path_to_CRL_file --client-vpn-endpoint-id endpoint_id --region region

Export a client certificate revocation list

You can export client certificate revocation lists using the console and the AWS CLI.

To export a client certificate revocation list (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint for which to export the client certificate revocation list.

  4. Choose Actions, choose Export Client Certificate CRL, and choose Yes, Export.

To export a client certificate revocation (AWS CLI)

Use the export-client-vpn-client-certificate-revocation-list command.