AWS Client VPN
Administrator Guide

Client Certificate Revocation Lists

You can use client certificate revocation lists to blacklist specific client certificates. Blacklisting clients revokes their access to Client VPN endpoint.

Note

For more information about generating the server and client certificates and keys, see Mutual Authentication

Generate a Client Certificate Revocation List

You must generate a client certificate revocation list using the OpenVPN easy-rsa command line utility.

To generate a client certificate revocation list using OpenVPN easy-rsa

  1. Clone the OpenVPN easy-rsa repo to your local computer.

    $ git clone https://github.com/OpenVPN/easy-rsa.git
  2. Navigate into the easy-rsa/easyrsa3 folder in your local repo.

    $ cd easy-rsa/easyrsa3
  3. Generate the client revocation list.

    $ ./easyrsa revoke client_certificate_name $ ./easyrsa gen-crl

    Type yes when prompted.

Import a Client Certificate Revocation List

You must have a client certificate revocation list file to import. For more information about generating a client certificate revocation list, see Generate a Client Certificate Revocation List.

You can import a client certificate revocation list using the console and the AWS CLI.

To import a client certificate revocation list (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint for which to import the client certificate revocation list.

  4. Choose Actions, and choose Import Client Certificate CRL.

  5. For Certificate Revocation List, enter the contents of the client certificate revocation list file, and choose Import CRL.

To import a client certificate revocation list (AWS CLI)

Use the import-client-vpn-client-certificate-revocation-list command.

$ aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file:path_to_CRL_file --client-vpn-endpoint-id endpoint_id --region region

Export a Client Certificate Revocation List

You can export client certificate revocation lists using the console and the AWS CLI.

To export a client certificate revocation list (console)

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint for which to export the client certificate revocation list.

  4. Choose Actions, choose Export Client Certificate CRL, and choose Yes, Export.

To export a client certificate revocation (AWS CLI)

Use the export-client-vpn-client-certificate-revocation-list command.