Why didn't Client VPN revoke the users that I specified my CRL?

2 minute read

I revoked a certificate, generated a certificate revocation list (CRL), and then imported the CRL to AWS Client VPN. I completed these steps to revoke access for specific users. However, Client VPN didn't revoke the specified users.

Short description

To revoke access, you must use the same certificate authority (CA) that you used to generate the user certificate. Also, you must run the following commands to revoke your certificate and generate the CRL:

$ ./easyrsa revoke revoked.learnaws.local

$ ./easyrsa gen-crl

After you meet these criteria, complete the following steps to troubleshoot.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

1. Use the AWS CLI to export the CRL. Then, save the CRL as a crl.pem file. Remove the STATUS at the end of the command output.

$ aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id cvpn-endpoint-07ff8ba3d5d3b5188 --output text --region eu-central-1

2. Create a .pem file for the CA with the .crt and .key files:

$ openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12
$ openssl pkcs12 -in ca.p12 -nodes -out ca.pem

3. Create a .pem file for the user certificate that you want to revoke:

$ openssl pkcs12 -export -in revoked.learnaws.local.crt -inkey revoked.learnaws.local.key -out revoked.learnaws.local.p12
$ openssl pkcs12 -in revoked.learnaws.local.p12 -nodes -out revoked.learnaws.local.pem

4. Link the ca and crl .pem files with the cat command:

$ cat ca.pem crl.pem > crl_ca.pem

5. Verify the revocation.

The expected output is error 23 at 0 depth lookup:certificate revoked. If the output is OK, then Client VPN didn't revoke the user certificate.

Example output:

$ openssl verify -crl_check -CAfile crl_ca.pem revoked.learnaws.local.pem
revoked.learnaws.local.pem: CN = revoked.learnaws.local
error 23 at 0 depth lookup:certificate revoked

-or-

Check the output for the user certificate's serial number. If the serial number is in the CRL, then Client VPN revoked the certificate.

To find the user certificate serial number, run this command:

$ openssl x509 -in revoked.learnaws.local.crt -noout -serial

To check if the serial number is in the CRL, run this command:

client cert: CN=abc.corp.xyz.com, "CertificateArn": "arn:aws:acm:us-east-1:xxxx:certificate/xxxxx-f692-4026-b26f-cfb361cf1b66", "Serial": "b5:99:e8:b9:5d:39:85:5f:8e:a9:b9:2c:10:9f:8b:c3"

$ cd /home/ec2-user/easy-rsa/easyrsa3/pki$ openssl crl -in crl.pem -text -noout | grep B599E8B95D39855F8EA9B92C109F8BC3

Topics

Networking & Content Delivery

Relevant content

Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSK
AWS-User-0612428
asked 2 years ago
APIGateway with mTLS accepts different client certificates issued by the same CA
Accepted Answer
Stefano Villa
asked 5 months ago
Why is my HTTPS certificate showing as "Revoked" on some systems
Nathan F
asked a year ago
CA Certificate Revoked
Accepted Answer
Abdilah
asked 10 months ago
How can I configure multiple users to use the same Client VPN endpoint?
Accepted Answer
Ashutosh Pandey
asked 2 months ago
How can I configure multiple users to use the same Client VPN endpoint?
AWS OFFICIALUpdated 2 years ago
How can I revoke access to a Client VPN endpoint for a specific client?
AWS OFFICIALUpdated 8 months ago
How can I revoke my ACM private certificate?
AWS OFFICIALUpdated 2 years ago
How do I get notified when my CRL associated with Client VPN endpoint is about to expire?
AWS OFFICIALUpdated 5 months ago
Use AWS Client VPN to access workloads running on VMware Cloud on AWS
EXPERT
Sawab Ahmed
published 5 months ago