Un-revoke certificate in OpenVPN

Technical, Technology

First of all, “un-revoking” is not an official term. And in PKI practice, a certificate should never be un-revoked.

However, there are cases that things get wrong and you do not want to complicate things by creating new certs.  You may consider this method.

  1. cd <whatever directory your openvpn configs are in, e.g. /etc/openvpn>/easy-rsa/keys
  2. Backup the files crl.pem and index.txt.
  3. There should be an index.txt, with certificate IDs in it. The ones starting with “V” are valid, and ones with “R” are revoked. You can edit that file, and fix the first char to “V”, and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc).
  4. Delete crl.pem
  5. cd ..
  6. . ./vars
  7. openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"
  8. You should find a new crl.pem generated in the current directory. Copy this file to the sub-folder keys.  Done!

One thought on “Un-revoke certificate in OpenVPN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s