How can I revoke access to a Client VPN endpoint for a specific client?

Last updated: 2020-03-25

I created an AWS Client VPN endpoint with certificate-based authentication for multiple clients. How can I revoke access to the Client VPN endpoint for a specific client?

Short Description

You can use certificate revocation lists to block specific client certificates. Blocking clients revokes their access to a Client VPN endpoint.

To revoke a client certificate, you must:

  1. Generate a client certificate revocation list
  2. Import a client certificate revocation list
  3. (Optional) Export the client certificate revocation list

Resolution

Generate a client certificate revocation list using OpenVPN easy-rsa

1.    Clone the OpenVPN easy-rsa repository as a local repository on your local computer.

$ git clone https://github.com/OpenVPN/easy-rsa.git

2.    Open the easy-rsa/easyrsa3 folder in your local repository.

$ cd easy-rsa/easyrsa3

3.    Revoke the client certificate, and then generate the client revocation list.

$ ./easyrsa revoke client_certificate_name

Type yes when prompted.

$ ./easyrsa gen-crl
Using SSL: openssl OpenSSL 1.0.2g  1 Mar 2016
Using configuration from /home/easy-rsa/easyrsa3/pki/easy-rsa-31222.LsDpvT/tmp.t5FIi8
An updated CRL has been created.
CRL file: /home/easy-rsa/easyrsa3/pki/crl.pem

The certificate revocation list file is created at /easy-rsa/easyrsa3/pki/crl.pem.

Import the certificate revocation list file to the client certificate revocation list

Important: After importing the certificate revocation list file to the client certificate revocation list, your client's access to the Client VPN endpoint is permanently revoked.

1.    Open the Amazon Virtual Private Cloud (Amazon VPC) console.

2.    In the navigation pane, choose Client VPN Endpoints.

3.    Select the Client VPN endpoint where you plan to import the client certificate revocation list.

4.    Choose Actions, and then choose Import Client Certificate CRL.

5.    Copy the contents of the client certificate revocation list file crl.pem.

$ cat pki/crl.pem
-----BEGIN X509 CRL-----
Base64–encoded certificate
-----END X509 CRL-----

6.    For Certificate Revocation List, enter the content of the client certificate revocation list file. Then, choose Import CRL.

Or, you can import the client certificate revocation list using the AWS Command Line Interface (AWS CLI):

aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file:path_to_CRL_file --client-vpn-endpoint-id endpoint_id --region region

(Optional) Export the client certificate revocation list

1.    Open the Amazon VPC console.

2.     In the navigation pane, choose Client VPN Endpoints.

3.    Select the Client VPN endpoint from where you plan to export the client certificate revocation list.

4.    Choose Actions, and then choose Export Client Certificate CRL.

5.    Choose Yes, and then choose Export.

Or, you can export the client certificate revocation list using the AWS CLI:

aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id endpoint_id

Did this article help you?

Anything we could improve?


Need more help?