The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keyssubdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
(This operation doesn't really need them but does access them; see Why does OpenSSL need the private key to revoke a certificate?) Anytime after the 'database' is updated, use openssl ca -gencrl [options] to actually generate a CRL from the current (updated) contents. The CRL period (in days, hours, or seconds) must be specified on the command Revoke-Certificate - PKI Extensions -Reason
Online Certificate Status Protocol — OpenSSL Certificate
OpenSSL - OpenSSL "ca -revoke" - Revoke a Certificate OpenSSL "ca" - Sign the CSR Again How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c How to revoke a Let's Encrypt certificate, and why you
Revoking certificates - Let's Encrypt - Free SSL/TLS
OpenSSL with Bash » Linux Magazine OpenSSL makes use of standard input and standard output, and it supports a wide range of parameters, such as command-line switches, environment variables, named pipes, file descriptors, and files. You can take advantage of these features to quickly write Bash (Bourne-Again Shell) scripts that automate tasks, such as testing SSL/TLS (Secure Socket Layer/Transport Layer Security) connections OpenSSL - OpenSSL "ca -revoke" - Revoke a Certificate OpenSSL "ca" - Sign the CSR Again How to sign the a CSR again the OpenSSL "ca" command? It was signed for 1 year the first time. But the requester wants the certificate to valid for 3 years. If you sign a CSR incorrectly and want to sign it again with the OpenSSL "ca" command, you need to revoke the certificate, then sign it again c