I'm using EasyRSA 3.2.0 to manage VPN certificates and I'm trying to understand how to renew and then revoke a client cert.
I'm able to revoke the renewed cert successfully, but it's still possible to connect using the old cert.
These are the commands I use:
./easyrsa build-client-full john-doe nopass
# Create john-doe-1.ovpn config
./easyrsa expire john-doe
./easyrsa sign-req client john-doe
# Create john-doe-2.ovpn config
# It's now possible to connect with both john-doe-1.ovpn and john-doe-2.ovpn
./easyrsa revoke john-doe
./easyrsa gen-crl
# Upload crl to VPN server
# It's now still possible to connect with john-doe-1.ovpn, but not john-doe-2.ovpn
I can see in index.txt that the old cert is still valid (V).
I tried to change the V to R and added a timestamp which worked, but it feels like I'm doing something wrong here.
I'm using EasyRSA 3.2.0 to manage VPN certificates and I'm trying to understand how to renew and then revoke a client cert.
I'm able to revoke the renewed cert successfully, but it's still possible to connect using the old cert.
These are the commands I use:
I can see in
index.txt
that the old cert is still valid (V
).I tried to change the
V
toR
and added a timestamp which worked, but it feels like I'm doing something wrong here.How can I revoke both certs?