Eu implementei uma solução semelhante à davidgo. Infelizmente eu enfrentei um erro openssl similar a este bug , e eu levei muito tempo para encontrar uma solução alternativa para isso.
Eu finalmente escrevi dois scripts para revogar e revogar certificados de cliente:
revoke.sh:
#!/bin/bash
keys_index_file=/usr/share/easy-rsa/keys/index.txt
fileline="$(grep "/CN=$1/" $keys_index_file)"
columns_number="$(echo $fileline | awk -F' ' '{print NF;}')"
if [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then
source /usr/share/easy-rsa/vars
/usr/share/easy-rsa/revoke-full $1
{
sleep 3
echo kill $1
sleep 3
echo exit
} | telnet localhost 7505
echo "Client certificate revoked successfully."
exit 0;
elif [[ $columns_number -eq 6 ]] && [[ $fileline == R* ]]; then
echo "Client certificate is already revoked."
exit 0;
else
echo "Error; key index file may be corrupted."
exit 1;
fi
unrevoke.sh:
#!/bin/bash
keys_index_file=/usr/share/easy-rsa/keys/index.txt
linenumber="$(grep -n "/CN=$1/" $keys_index_file | cut -f1 -d:)"
fileline="$(grep -n "/CN=$1/" $keys_index_file)"
line="$(grep "/CN=$1/" $keys_index_file)"
columns_number="$(echo $line | awk -F' ' '{print NF;}')"
echo $columns_number
if [[ $columns_number -eq 6 ]] && [[ $line == R* ]]; then
column2="$(echo $fileline | awk '{print $2}')"
column4="$(echo $fileline | awk '{print $4}')"
column5="$(echo $fileline | awk '{print $5}')"
column6="$(echo $fileline | awk '{print $6}')"
echo -e "V\t$column2\t\t$column4\t$column5\t$column6" >> $keys_index_file
sed -i "${linenumber}d" $keys_index_file
cd /usr/share/easy-rsa; source ./vars; openssl ca -gencrl -out "keys/crl.pem" -config "$KEY_CONFIG"
echo "Certificate unrevoked successfully."
exit 0;
elif [[ $columns_number -eq 5 ]] && [[ $fileline == V* ]]; then
echo "Certificate is already unrevoked and active"
exit 0;
else
echo "Error; Key index file may be corrupted."
exit 1;
fi
Observe que o script revoke.sh também abre uma conexão telnet com o openVPN e expulsa o cliente para ser revogado.