Why aren't the users specified in my CRL revoked by Client VPN?

Last updated: 2021-01-27

I revoked a certificate, generated a certificate revocation list (CRL), and then imported the CRL to AWS Client VPN. I completed these steps to revoke access for specific users. However, the specified users aren't being revoked by Client VPN. How can I fix this?

Short description

Confirm that you've used the following commands to revoke your certificate and generate the CRL:

$ ./easyrsa revoke revoked.learnaws.local
$ ./easyrsa gen-crl

Then, complete the following steps to continue troubleshooting.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Using the AWS CLI, export the CRL and then save it as a "crl.pem" file. Be sure to remove the STATUS at the end of the command output.

$ aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id cvpn-endpoint-07ff8ba3d5d3b5188 --output text --region eu-central-1

2.    Create a PEM file for the certificate authority (CA) using the .crt and .key files:

$ openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12
$ openssl pkcs12 -in ca.p12 -nodes -out ca.pem

3.    Create a PEM file for the certificate that must be revoked using the .crt and .key files:

$ openssl pkcs12 -export -in revoked.learnaws.local.crt -inkey revoked.learnaws.local.key -out revoked.learnaws.local.p12
$ openssl pkcs12 -in revoked.learnaws.local.p12 -nodes -out revoked.learnaws.local.pem

4.    Concatenate the "ca" and "crl" PEM files using the cat command:

$ cat ca.pem crl.pem > crl_ca.pem

5.    Verify the revocation.

If the output is "OK", then it's not revoked as intended. The expected output is "error 23 at 0 depth lookup:certificate revoked".

$ openssl verify -crl_check -CAfile crl_ca.pem revoked.learnaws.local.pem

revoked.learnaws.local.pem: CN = revoked.learnaws.local
error 23 at 0 depth lookup:certificate revoked

-or-

Find the serial number of the certificate, and then look for the number in the output. If the serial number is present, then the certificate is revoked.

Example:

client cert: CN=abc.corp.xyz.com, "CertificateArn": "arn:aws:acm:us-east-1:xxxx:certificate/xxxxx-f692-4026-b26f-cfb361cf1b66", "Serial": "b5:99:e8:b9:5d:39:85:5f:8e:a9:b9:2c:10:9f:8b:c3"
$ cd /home/ec2-user/easy-rsa/easyrsa3/pki
$ openssl crl -in crl.pem -text -noout | grep B599E8B95D39855F8EA9B92C109F8BC3

Did this article help?


Do you need billing or technical support?