Tutorial: Revoke or Delete a User Certificate or Profile
How to revoke user certificates and connection profiles for OpenVPN Access Server.
Overview
This tutorial provides instructions for revoking the user certificates for your VPN clients connecting to Access Server.
Revoking or deleting a user certificate or profile removes it from the Access Server certificates database, but the action does not block the user. After revocation, when the user connects with that profile, the user receives an “authentication failed” message stating that the certificate is revoked. The user must then delete the profile and import a new one; at this point, Access Server generates a new certificate and profile.
As of Access Server version 2.9, users can have multiple active profiles. You can manage user profiles on the User Profiles page in the Admin Web UI.
An installed Access Server.
VPN users.
Admin Web UI access or console access.
Follow the steps for your Access Server version.
Tip
We recommend running the latest version.
Sign in to the Admin Web UI.
Click User Management > User Profiles.
Click the drop-down next to the user.
Click Delete for the profile and its associated certificate.
Click Delete.
Note
An administrator can revoke one profile at a time or all associated user profiles simultaneously.
Sign in to the Admin Web UI.
Click User Management > Revoke Certificates.
Check the box under Revoke for the appropriate client certificate.
Click Revoke
You can revoke certificates or profiles from your Access Server CLI. These commands use the sa tool, the sacli tool, and the confdba tool.
Connect to your console with root privileges.
Switch to the scripts directory:
cd /usr/local/openvpn_as/scripts/
Run the desired commands from one of the sections below with the appropriate CLI tool.
sa tool commands
Delete the oldest user-locked profile for a user:
./sa DeleteClient [username]
Delete the oldest autologin profile:
./sa DeleteClient [username]_AUTOLOGIN
Delete a profile by its serial number:
./sa DeleteClientSN [serial number]1
The serial number for a profile displays in the Admin Web UI on the User Profiles page. You can also check it from CLI with
./sa listclientsdetailor./sacli listclientsdetail.
sacli tool commands
Revoke all certificates for the user:
./sacli --user [username] RevokeUser
Revoke the oldest user-locked certificate with a specific common name:
./sacli --cn [common name] RevokeUserProfile
Revoke the oldest autologin certificate with a specific common name:
./sacli --cn [common name]_AUTOLOGIN RevokeUserProfile
Revoke a certificate by its serial number:
./sacli --sn [serial number]1 RevokeUserProfile
The serial number for a profile displays in the Admin Web UI on the User Profiles page. You can also check it from CLI with
./sa listclientsdetailor./sacli listclientsdetail.
confdba command
Prevent a user from getting a new certificate from the Client UI or a VPN client after revocation:
./confdba -u --mod --prof [username] --key prop_deny --value true
When a user receives the message “REVOKED: client certificate has been revoked” in OpenVPN Connect, their imported certificate/profile has been revoked in the Access Server certificates database. To resolve the error:
Click Edit for the profile.
Click Delete Profile.
Click Yes.
Click the Add icon.
Enter the URL for Access Server and click Next.
Enter the username and password and click Import.