Revoking a certificate for IPSEC vpn setups

revoke_ipsec_vpn_certificate.sh

#!/bin/bash
#
# Script to revoke a certificate from the IPSEC vpn lists from https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#revoke-a-client-certificate
# 
#
if [ -z "$1" ]; then
	echo ""
	echo ""
	echo "Use the script as follows: $0 <name of the user certificate>"
	echo ""
	echo ""
	echo ""
	echo "See list of active VPN client/cert users below:"
	certutil -L -d sql:/etc/ipsec.d
else
	echo "Revoking VPN certificate for user: " $1

	# list certificates in database
        # certutil -L -d sql:/etc/ipsec.d

	# get the serial number from the output and convert to decimal
	SERIAL=$(certutil -L -d sql:/etc/ipsec.d -n $1 |grep -1 Serial | tail -1| awk '{print $1}'|tr -d ':')
	if [ "$SERIAL" == "" ]; then
		echo "Certificate for $1 not found. "
		echo ""
		echo ""
		echo "Certificates in DB:"
		certutil -L -d sql:/etc/ipsec.d
		exit
	fi

	DECIMAL=$(( 16#$SERIAL ))
	echo "Serial Number $SERIAL in decimal format is $DECIMAL"
	echo "Press enter to revoke the cert or ctrl-c to abort"
	read

	# Create a new Certificate Revocation List (CRL)
	if ! crlutil -L -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null; then
		crlutil -G -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" -c /dev/null
	fi

# remove a certificate from the CRL
DATE=$(date +%Y%m%d%H%M%SZ)


crlutil -M -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" <<EOF
addcert $DECIMAL $DATE
EOF

	# force libreswan to read the updated list
	ipsec crls

	# delete user certificate
	certutil -F -d sql:/etc/ipsec.d -n "$1"
	certutil -D -d sql:/etc/ipsec.d -n "$1" 2>/dev/null

	ipsec crls

	echo "Current list of VPN clients"
	certutil -L -d sql:/etc/ipsec.d
fi