Revoking or deleting a user certificate or profile

Introduction

This document provides instructions for revoking the user certificates for your VPN clients that are connecting to OpenVPN Access Server.

Revoking or deleting a user certificate or profile removes it from the Access Server certificates database, but the action does not block the user. After revocation, when the user connects with that profile, the user receives an “authentication failed” message stating that the certificate is revoked. The user must then delete the profile and import a new one, at which point Access Server generates a new certificate and profile.

As of Access Server version 2.9, users can have more than one active profile. You can manage user profiles on the User Profiles page in the Admin Web UI.

Revoke or delete user certificates and profiles in the Admin Web UI

For Access Server version 2.9 and newer

  1. Sign in to your Admin Web UI.
  2. Click User Management > User Profiles.
  3. Click the drop-down next to the user.
  4. Check Delete for the profile and its associated certificate.
  5. Click Delete.

An administrator can revoke one profile at a time or all associated user profiles at once.

For Access Server version 2.8 and older

  1. Sign in to your Admin Web UI.
  2. Click User Management > Revoke Certificates.
  3. Check the box under Revoke for the client certificate you want to revoke.
  4. Click Revoke.

Refer to the Admin Web UI user manual for more information: User Management: User Profiles.

Revoke or delete user certificates and profiles from the command line

You can revoke certificates or profiles from your Access Server command line. These commands use the sa tool, the sacli tool, and the confdba tool, and each requires you to run the commands with root privileges from this directory: /usr/local/openvpn_as/scripts.

sa tool commands

Delete the oldest user-locked profile for a user:

./sa DeleteClient [username]

Delete the oldest autologin profile:

./sa DeleteClient [username]_AUTOLOGIN

Delete a profile by its serial number:

./sa DeleteClientSN [serial number]

Note: The serial number for a profile displays in the Admin Web UI on the User Profiles page. You can also check it from CLI with ./sa listclientsdetail or ./sacli listclientsdetail.

sacli tool commands

Revoke all certificates for the user:

./sacli --user [username] RevokeUser

Revoke the oldest user-locked certificate with a specific common name:

./sacli --cn [common name] RevokeUserProfile

Revoke the oldest autologin certificate with a specific common name:

./sacli --cn [common name]_AUTOLOGIN RevokeUserProfile

Revoke a certificate by its serial number:

./sacli --sn [serial number] RevokeUserProfile

Note: The serial number for each profile displays in the Admin Web UI on the User Profiles page. You can also check it from the CLI with ./sa listclientsdetail or ./sacli listclientsdetail.

confdba command

Prevent a user from getting a new certificate from the Client UI or a VPN client after revocation:

./confdba -u --mod --prof [username] --key prop_deny --value true

Authentication Failed — REVOKED: client certificate has been revoked

When a user receives the message “REVOKED: client certificate has been revoked” in OpenVPN Connect, their imported certificate/profile has been revoked in the Access Server certificates database. To resolve the error:

  1. Click Edit for the profile.
  2. Click Delete Profile.
  3. Click Yes.
  4. Click the Add icon.
  5. Enter the URL for Access Server and click Next.
  6. Enter the username and password and click Import.