How can I revoke access to a Client VPN endpoint for a specific client?

3 minute read
0

I created an AWS Client VPN endpoint with certificate-based authentication for multiple clients. I want to revoke access to the Client VPN endpoint for a specific client.

Short Description

Use certificate revocation lists to block specific client certificates. When you block clients, their access to a Client VPN endpoint is revoked.

To revoke a client certificate, complete the following steps.

Resolution

Generate a client certificate revocation list with OpenVPN easy-rsa

  1. Clone the OpenVPN easy-rsa repository as a local repository on your local computer:

    $ git clone https://github.com/OpenVPN/easy-rsa.git
  2. Open the easy-rsa/easyrsa3 folder in your local repository:

    $ cd easy-rsa/easyrsa3
  3. Revoke the client certificate, and then generate the client revocation list:

    $ ./easyrsa revoke client_certificate_name

    When prompted, enter yes:

    $ ./easyrsa gen-crl     
    Using SSL: openssl OpenSSL 1.0.2g  1 Mar 2016
    Using configuration from /home/easy-rsa/easyrsa3/pki/easy-rsa-31222.LsDpvT/tmp.t5FIi8
    An updated CRL has been created.
    CRL file: /home/easy-rsa/easyrsa3/pki/crl.pem

    The certificate revocation list file is created at /easy-rsa/easyrsa3/pki/crl.pem.

Import the certificate revocation list file to the client certificate revocation list

Important: After you import the certificate revocation list file to the AWS Management Console, your client's access to the Client VPN endpoint is permanently revoked.

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.

  2. In the navigation pane, choose Client VPN Endpoints.

  3. Select the Client VPN endpoint where you plan to import the client certificate revocation list.

  4. Choose Actions, and then choose Import Client Certificate CRL.

  5. Copy the contents of the client certificate revocation list crl.pem file.

    $ cat pki/crl.pem-----BEGIN X509 CRL-----
    Base64–encoded certificate
    -----END X509 CRL-----
  6. For Certificate Revocation List, enter the content of the client certificate revocation list file. Then, choose Import CRL.
    Or, you can import the client certificate revocation list with the AWS Command Line Interface (AWS CLI):

    aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file:path_to_CRL_file --client-vpn-endpoint-id endpoint_id --region region

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

(Optional) Export the client certificate revocation list

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Client VPN Endpoints.
  3. Select the Client VPN endpoint from where you plan to export the client certificate revocation list.
  4. Choose Actions, and then choose Export Client Certificate CRL.
  5. Choose Yes, and then choose Export.
    Or, you can export the client certificate revocation list with the AWS CLI:
    aws ec2 export-client-vpn-client-certificate-revocation-list --client-vpn-endpoint-id endpoint_id

Related information

Client certification revocation lists

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago