Skip to main content

Tutorial: Revoke or Delete a User Certificate or Profile

Abstract

How to revoke user certificates and connection profiles for OpenVPN Access Server.

Overview

This tutorial provides instructions for revoking the user certificates for your VPN clients connecting to Access Server.

Revoking or deleting a user certificate or profile removes it from the Access Server certificates database, but the action does not block the user. After revocation, when the user attempts to connect with that profile, they receive an “authentication failed” message stating that the certificate has been revoked. The user must then delete the profile and import a new one; at this point, Access Server generates a new certificate and profile.

Prerequisites

  • An installed Access Server.

  • VPN users.

  • Admin Web UI access or console access.

Option 1: Revoke or delete user certificates and profiles in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Certificate Management.

    • The Web Server Certificate tab displays.

  3. Click the VPN Client Certificates tab.

  4. Click the delete icon for the profile you need to delete or revoke.

    Tip

    You can use the Filter or search icon to help you find the needed profile.

    • A confirmation message displays.

  5. Click Delete.

    • The profile is deleted.

Note

An administrator can revoke one profile at a time or all associated user profiles simultaneously.

You can also find a user's profiles from their single-user page on the Connection Profiles tab.

Option 2: Revoke or delete user certificates and profiles from the command-line interface (CLI)

You can revoke certificates or profiles from your Access Server CLI.

  1. Connect to your console and get root privileges.

  2. Run the desired commands to manage profiles:

    • Revoke all certificates for the user:

      sacli --user [username] RevokeUser

    • Revoke the oldest user-locked certificate with a specific common name:

      sacli --cn [common name] RevokeUserProfile

    • Revoke the oldest autologin certificate with a specific common name:

      sacli --cn [common name]_AUTOLOGIN RevokeUserProfile

    • Revoke a certificate by its serial number:

      sacli --sn [serial number]1 RevokeUserProfile

      1

      The serial number for a profile is displayed in the Admin Web UI under Certificate Management > VPN Client Certificates. You can also check it from CLI with ./sacli listclientsdetail.

In this section:

Access Server's web server used by the administrator to configure the VPN server.