First of all, “un-revoking” is not an official term. And in PKI practice, a certificate should never be un-revoked.
However, there are cases that things get wrong and you do not want to complicate things by creating new certs. You may consider this method.
cd <whatever directory your openvpn configs are in, e.g. /etc/openvpn>/easy-rsa/keys
- Backup the files
crl.pem
andindex.txt
. - There should be an
index.txt
, with certificate IDs in it. The ones starting with “V” are valid, and ones with “R” are revoked. You can edit that file, and fix the first char to “V”, and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc). - Delete
crl.pem
cd ..
. ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"
- You should find a new
crl.pem
generated in the current directory. Copy this file to the sub-folderkeys
. Done!