Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar

Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.

Why aren't the users specified in my CRL revoked by Client VPN?

Lesedauer: 2 Minute

I revoked a certificate, generated a certificate revocation list (CRL), and then imported the CRL to AWS Client VPN. I completed these steps to revoke access for specific users. However, the specified users aren't being revoked by Client VPN. How can I fix this?

Short description

Confirm that you've used the following commands to revoke your certificate and generate the CRL:

$ ./easyrsa revoke revoked.learnaws.local

$ ./easyrsa gen-crl

Then, complete the following steps to continue troubleshooting.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1. Using the AWS CLI, export the CRL and then save it as a "crl.pem" file. Be sure to remove the STATUS at the end of the command output.

$ aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id cvpn-endpoint-07ff8ba3d5d3b5188 --output text --region eu-central-1

2. Create a PEM file for the certificate authority (CA) using the .crt and .key files:

$ openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.p12
$ openssl pkcs12 -in ca.p12 -nodes -out ca.pem

3. Create a PEM file for the certificate that must be revoked using the .crt and .key files:

$ openssl pkcs12 -export -in revoked.learnaws.local.crt -inkey revoked.learnaws.local.key -out revoked.learnaws.local.p12
$ openssl pkcs12 -in revoked.learnaws.local.p12 -nodes -out revoked.learnaws.local.pem

4. Concatenate the "ca" and "crl" PEM files using the cat command:

$ cat ca.pem crl.pem > crl_ca.pem

5. Verify the revocation.

If the output is "OK", then it's not revoked as intended. The expected output is "error 23 at 0 depth lookup:certificate revoked".

$ openssl verify -crl_check -CAfile crl_ca.pem revoked.learnaws.local.pem

revoked.learnaws.local.pem: CN = revoked.learnaws.local
error 23 at 0 depth lookup:certificate revoked

-or-

Find the serial number of the certificate, and then look for the number in the output. If the serial number is present, then the certificate is revoked.

Example:

client cert: CN=abc.corp.xyz.com, "CertificateArn": "arn:aws:acm:us-east-1:xxxx:certificate/xxxxx-f692-4026-b26f-cfb361cf1b66", "Serial": "b5:99:e8:b9:5d:39:85:5f:8e:a9:b9:2c:10:9f:8b:c3"

$ cd /home/ec2-user/easy-rsa/easyrsa3/pki
$ openssl crl -in crl.pem -text -noout | grep B599E8B95D39855F8EA9B92C109F8BC3

Themen

Vernetzung & Bereitstellung von Inhalten

Relevanter Inhalt

Wie lösche oder beende ich einen VPN-Client-Endpunkt oder Verbindung auf AWS Client VPN?
AWS OFFICIALAktualisiert vor 6 Monaten
Wie kann ich mein öffentliches ACM-Zertifikat widerrufen?
AWS OFFICIALAktualisiert vor 9 Monaten
Wie kann ich eine Zertifikatssperrliste (CRL) für meinen ACM PCA erstellen?
AWS OFFICIALAktualisiert vor 9 Monaten
Wie behebe ich den Fehler: „The following parameters are not defined for the specified group: xxx, xxx“ (Die folgenden Parameter sind nicht für die angegebene Gruppe definiert: xxx, xxx), wenn ich die Engine-Version meines RDS-Clusters mithilfe von CloudFormation aktualisiere?
AWS OFFICIALAktualisiert vor einem Jahr