Understanding how to renew/revoke

[AxelJunker]

I'm using EasyRSA 3.2.0 to manage VPN certificates and I'm trying to understand how to renew and then revoke a client cert.

I'm able to revoke the renewed cert successfully, but it's still possible to connect using the old cert.

These are the commands I use:

./easyrsa build-client-full john-doe nopass

# Create john-doe-1.ovpn config

./easyrsa expire john-doe
./easyrsa sign-req client john-doe

# Create john-doe-2.ovpn config

# It's now possible to connect with both john-doe-1.ovpn and john-doe-2.ovpn

./easyrsa revoke john-doe
./easyrsa gen-crl

# Upload crl to VPN server

# It's now still possible to connect with john-doe-1.ovpn, but not john-doe-2.ovpn

I can see in index.txt that the old cert is still valid (V).

I tried to change the V to R and added a timestamp which worked, but it feels like I'm doing something wrong here.

How can I revoke both certs?

[TinCanTech]

How can I revoke both certs?

All Easy-RSA commands are documented in help.

Your accidental revocation has been address in 9f6ee4c

[AxelJunker]

I see, I should use revoke-expired. Thank you!