OpenVPN without CRL, with client configs?
Is anyone aware of a simple way to use client configs such that only if you have a client config defined are you allowed to connect? My concern is that with multiple admins, that someone may forget or assume that someone else updated the CRL, and we end up leaving a certificate enabled that should not be. I'd like the client configs to end up being the location-of-record for who's allowed to be on, but I can't think of a combination of server and client options that could make this happen.
I've kind of found a way to do this:
1) Create a client config called DEFAULT. This is parsed by OpenVPN when a CN is not matched elsewhere.
2) Click the "Blocked" option in the config.
What I'm not sure of is the downside of doing this… The blocked option specifically says that the option shouldn't be used "due to key or password compromise", which seems to imply that it has weaknesses the a CRL does not.