Access Server

Follow us

How to revoke a users certificate

In order to revoke or delete a users certificate you can follow either of these instructions:

Method 1:

You can revoke certificates using the "Revoke Certificates" page on the Admin UI:

OpenVPN Revoke Certificates

Method 2:

You can revoke certificates via the OpenVPN-AS backend:

To delete a users certificate:

This can be done now with the CLI. For example, if you want to revoke the cert for user foo:

Navigate to /usr/local/openvpn_as/scripts

./sa DeleteClient foo

If user foo has an autologin certificate, change the command as such:

./sa DeleteClient foo_AUTOLOGIN

What these commands actually do is to delete the cert for the named user from the AS certificates DB, so that it cannot be used to log into the AS. The next time the user logs into the CWS or tries to access their profile using the web services API, a new certificate will be automatically generated.

To revoke a certificate having a specific common name:

./sacli -a ADMIN --cn COMMON_NAME RevokeCert

To revoke all certificates for a given user:

./sacli -a ADMIN --user USER_NAME RevokeUser

To prevent a user from getting a new certificate from the CWS after

./confdba -u --mod --prof USER_NAME --key prop_deny --value true

When finished you can return to the admin UI Revoke Certificates page and verify that the users have been removed.