Client certificate revocation lists
You can use client certificate revocation lists to revoke access to a Client VPN endpoint for specific client certificates.
Note
For more information about generating the server and client certificates and keys, see Mutual authentication
For more information about the number of entries you can add to a client certificate revocation list, see Client VPN quotas.
Contents
Generate a client certificate revocation list
Import a client certificate revocation list
You must have a client certificate revocation list file to import. For more information about generating a client certificate revocation list, see Generate a client certificate revocation list.
You can import a client certificate revocation list using the console and the AWS CLI.
To import a client certificate revocation list (console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Client VPN Endpoints.
-
Select the Client VPN endpoint for which to import the client certificate revocation list.
-
Choose Actions, and choose Import Client Certificate CRL.
-
For Certificate Revocation List, enter the contents of the client certificate revocation list file, and choose Import client certificate CRL.
To import a client certificate revocation list (AWS CLI)
Use the import-client-vpn-client-certificate-revocation-list
$
aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file://path_to_CRL_file
--client-vpn-endpoint-idendpoint_id
--regionregion
Export a client certificate revocation list
You can export client certificate revocation lists using the console and the AWS CLI.
To export a client certificate revocation list (console)
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Client VPN Endpoints.
-
Select the Client VPN endpoint for which to export the client certificate revocation list.
-
Choose Actions, choose Export Client Certificate CRL, and choose Export Client Certificate CRL.
To export a client certificate revocation (AWS CLI)
Use the export-client-vpn-client-certificate-revocation-list