I used the easy-rsa/2.0 programs to build server and client certificates for OpenVPN. I copied the client ones to the clients along with ca.crt. All good.
I now need to revoke a client certificate from a stolen laptop. In /usr/share/doc/openvpn/examples/easy-rsa/2.0 there's a revoke script. I've run this successfully and it says "Data Base Updated". It's created some files in a subdir of the examples/doc folder.
I've copied the created crl.pem to /etc/openvpn/crl.pem and I've added crl-verify /etc/openvpn/crl.pem to
server.conf.
Is there any way I can verify that I've done the right thing and that it will indeed block access?
Also, I'm not clear where this "Data Base" is stored or what it refers to? Is there any way to inspect this database?
Best Answer
On easy-rsa directory there's a 'revoke-full' file. When you run this script with your user/key as parameter, index.txt file on easy-rsa/keys directory will be updated.
You'll see an 'R' (for Revoked) on the first column from the left for your user.