I have configured my OpenVPN and it is working properly so far. Lately I had to revoke one certificate and after using easy-rsa revoke-full, I saw that in index.txt that specific user has been revoked. I also noticed that crl.pem has new timestamp so it was updated indeed. The problem started after 1 month that all users were blocked as I had in server.conf line added to verify-crl and path to crl.pem
#CRL-VERIFY - for revoking users
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
So my question is, if I used easy-rsa 2.x script revoke-full and I can see that index has marked this specific certificate to be revoked. If I also found that time stamp of /keys/crl.pem is current time stamp, and after I restarted openvpn service (for the good measure), how come that it is still getting blocked.
Sure I can remove verify-crl, but that is not the point.
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: XXXXXXXXXXXXXXXX
Issuer: /C=DE/ST=xxxxxx/L=xxxxxx/O=xxxxxxxxxx/OU=xxxxxxxxxx/CN=xxxxxxxxxx/emailAddress=lol@xxxxxxxxxx
Last Update: May 1 07:10:34 2019 GMT
Next Update: May 31 07:10:34 2019 GMT
Revoked Certificates:
Serial Number: 0B
Revocation Date: Mar 29 19:37:51 2019 GMT
I can see that next update is scheduled for 31.May, so I would like to know step by step procedure how to revoke certificate, perhaps I missed something.