Un-revoke certificate in OpenVPN

First of all, “un-revoking” is not an official term. And in PKI practice, a certificate should never be un-revoked.

However, there are cases that things get wrong and you do not want to complicate things by creating new certs.  You may consider this method.

1. cd <whatever directory your openvpn configs are in, e.g. /etc/openvpn>/easy-rsa/keys
2. Backup the files crl.pem and index.txt.
3. There should be an index.txt, with certificate IDs in it. The ones starting with “V” are valid, and ones with “R” are revoked. You can edit that file, and fix the first char to “V”, and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc).
4. Delete crl.pem
5. cd ..
6. . ./vars
7. openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"
8. You should find a new crl.pem generated in the current directory. Copy this file to the sub-folder keys.  Done!