# AWS Client VPN client certificate revocation lists
Client VPN client certificate revocation lists are used to revoke access to a Client VPN endpoint for specific client certificates. You can either generate a revocation list or import an existing list. You can also export your current list a revocation list file. Generating a list is performed using the OpenVPN software on either Linux/macOS or on Windows. Importing and exporting can be done using either the Amazon VPC Console or by using the AWS CLI.
For more information about generating the server and client certificates and keys, see [Mutual authentication in AWS Client VPN](mutual.md)
**Note**
If a client certificate revocation list has expired, you cannot connect to the Client VPN endpoint. You'll need to create a new one and import it into the Client VPN endpoint.
You can add only a limited number of entries to a client certificate revocation list. For more information about the number of entries you can add to a revocation list, see [Client VPN quotas](limits.md#quotas-endpoints).
**Topics**
+ [Generate a client certificate revocation list](cvpn-working-certificates-generate.md)
+ [Import a client certificate revocation list](cvpn-working-certificates-import.md)
+ [Export a client certificate revocation list](cvpn-working-certificates-export.md)
# Generate an AWS Client VPN client certificate revocation list
You can generate a Client VPN certificate revocation list on either a Linux/macOS or Windows operating system. The revocation list is used to revoke access to a Client VPN endpoint for specific certificates. For more information about client certificate revocation lists, see [Client certificate revocation lists](cvpn-working-certificates.md).
------
#### [ Linux/macOS ]
In the following procedure, you generate a client certificate revocation list using the OpenVPN easy-rsa command line utility.
**To generate a client certificate revocation list using OpenVPN easy-rsa**
1. Log on to the server hosting the easyrsa installation used to generate the certificate.
1. Navigate into the `easy-rsa/easyrsa3` folder in your local repo.
```
$ cd easy-rsa/easyrsa3
```
1. Revoke the client certificate and generate the client revocation list.
```
$ ./easyrsa revoke client1.domain.tld
$ ./easyrsa gen-crl
```
Enter `yes` when prompted.
------
#### [ Windows ]
The following procedure uses the OpenVPN software to generate a client revocation list. It assumes that you followed the [steps for using the OpenVPN software](mutual.md) to generate the client and server certificates and keys.
**To generate a client certificate revocation list using EasyRSA version 3.x.x**
1. Open a command prompt and navigate to the EasyRSA-3.x.x directory, which will depend on where it is installed on your system.
```
C:\> cd c:\Users\windows\EasyRSA-3.x.x
```
1. Run the `EasyRSA-Start.bat` file to start the EasyRSA shell.
```
C:\> .\EasyRSA-Start.bat
```
1. In the EasyRSA shell, revoke the client certificate.
```
# ./easyrsa revoke client_certificate_name
```
1. Enter `yes` when prompted.
1. Generate the client revocation list.
```
# ./easyrsa gen-crl
```
1. The client revocation list will be created in the following location:
```
c:\Users\windows\EasyRSA-3.x.x\pki\crl.pem
```
**To generate a client certificate revocation list using previous EasyRSA versions**
1. Open a command prompt and navigate to the OpenVPN directory.
```
C:\> cd \Program Files\OpenVPN\easy-rsa
```
1. Run the `vars.bat` file.
```
C:\> vars
```
1. Revoke the client certificate and generate the client revocation list.
```
C:\> revoke-full client_certificate_name
C:\> more crl.pem
```
------
# Import an AWS Client VPN client certificate revocation list
You must have a Client VPN client certificate revocation list file to import. For more information about generating a client certificate revocation list, see [Generate an AWS Client VPN client certificate revocation list](cvpn-working-certificates-generate.md).
You can import a client certificate revocation list using the console and the AWS CLI.
**To import a client certificate revocation list (console)**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Client VPN Endpoints**.
1. Select the Client VPN endpoint for which to import the client certificate revocation list.
1. Choose **Actions**, and choose **Import Client Certificate CRL**.
1. For **Certificate Revocation List**, enter the contents of the client certificate revocation list file, and choose **Import client certificate CRL**.
**To import a client certificate revocation list (AWS CLI)**
Use the [import-client-vpn-client-certificate-revocation-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/import-client-vpn-client-certificate-revocation-list.html) command.
```
$ aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file://path_to_CRL_file --client-vpn-endpoint-id endpoint_id --region region
```
# Export an AWS Client VPN client certificate revocation list
You can export Client VPN client certificate revocation lists using the console and the AWS CLI.
**To export a client certificate revocation list (console)**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Client VPN Endpoints**.
1. Select the Client VPN endpoint for which to export the client certificate revocation list.
1. Choose **Actions**, choose **Export Client Certificate CRL**, and choose **Export Client Certificate CRL**.
**To export a client certificate revocation (AWS CLI)**
Use the [export-client-vpn-client-certificate-revocation-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/export-client-vpn-client-certificate-revocation-list.html) command.