--- tmp/create_a_secure_virtual_private_network_with_openvpn.orig	2008-11-09 02:16:55.000000000 +0100
+++ tmp/create_a_secure_virtual_private_network_with_openvpn	2008-11-09 02:16:55.000000000 +0100
@@ -471,6 +471,40 @@
 
     openvpn --config /etc/openvpn/client.conf
 
+# Certificates revocation list
+
+At some point, you want to reject some certification. This could be because you
+know that a particular client certification got compromised. If you want to be
+able to reject some certification, you need to create a certification
+revocation list.
+
+As first thing to do, we need to specify in the openvpn server configuration to
+check revoked certificates from a particular file:
+
+    echo "
+    # Revoked certificate list
+    crl-verify /etc/openvpn/keys/certification_revocation_list.pem" >> /etc/openvpn/server.conf
+
+We can now create an empty revocation file with:
+
+    # First load (source) the needed config
+    cd /etc/openvpn/easy-rsa
+    source vars
+    # Script isn't executable :-s
+    chmod +x /etc/openvpn/easy-rsa/make-crl
+    # Finally we create the revocation list
+    /etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/certification_revocation_list.pem
+
+To revoke some certification:
+
+    # First load (source) the needed config
+    cd /etc/openvpn/easy-rsa
+    source vars
+    ./revoke-full client2
+
+See <http://openvpn.net/index.php/documentation/howto.html#revoke> for more
+informations.
+
 # Hardening the setup
 
 ## tls-auth