REVOKING
To revoke the access of a client, the first method will be to use the Client Revocation List. For that, go to easy_rsa directory & execute (where cname is the one which you want to disable)
# source ./vars
# ./revoke-full cname
Then move the file crl.pem created in keys folder to the /etc/openvpn/ folder. Finally, edit the server.conf & add the following line.
crl-verify crl.pem
The above file is append-only file & re-read every time a client connects to the server so there is no need to restart the server next time you overwrite the file.
UNREVOKING
Now coming on the un-revoking part, I tried asking the above question on serverfault & came to know that un-revoking of certificate should generally not be done.
But, even then if you want to do that I will quote the guy:
in your CA folder, there should be an index.txt, with certificate IDs in it. The ones starting with "V" are valid, and ones with "R" are revoked. You can edit that file, and fix the first char to "V", and delete the third column (the revocation date). If you have more then one certificate, you should see the pattern (sequential number comes in the third column now, etc).
Then you just need to regenerate the CRL again, and it should work.
To regenerate the CRL file again, execute the following two commands in the easy_rsa directory:
source ./vars
openssl ca -gencrl -out "crl.pem" -config "$KEY_CONFIG"'
If the revoke command fails read this bug report...
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/231199
