I've been having a look and using this, this, this and this. So to greate a CRL do:

echo 1000 > /etc/pki/CA/crlnumber    # you only need to do this once

openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \

    -out /etc/pki/CA/crl/crl.pem \

    -keyfile /etc/pki/CA/private/ca-key.pem \

    -cert /etc/pki/CA/ca-cert.pem

Note the default clrdays is 30. The recommendation is to regenerate the file every 30 days. The easiest way to do that is to set the crldays to something like 45 and put the line in a configlet in /etc/cron.monthly, remembering to make it executable. Also add " > /dev/null 2>&1" to the end of the openssl command to quieten the output. Otherwise you can be lazy and set it to a high number like 3650 days. You have to regenerate the file every time you revoke a certificate or batch of certificates.

Then to revoke a certificate, e.g the one for user "test1" do:

openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-test1-cert.pem

openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \

    -out /etc/pki/CA/crl/crl.pem \

    -keyfile /etc/pki/CA/private/ca-key.pem \

    -cert /etc/pki/CA/ca-cert.pem

Now you have a certificate revoked and it exists in the crl.pem file. You can check with

openssl crl -in /etc/pki/CA/crl/crl.pem -noout -text

The serial number can be cross-referenced against the number in /etc/pki/CA/index.txt.

In /etc/openvpn/clients.conf, then add a line:

crl-verify /etc/pki/CA/crl/crl.pem

And restart OpenVPN. You should now have a functioning CRL.

If you want to test, I suggest you make a backup of the whole /etc/pki/CA folder and restore it after your testing. Revoking a certificate seems to update /etc/pki/CA/index.txt and regenerating the crl.pem also updates /etc/pki/CA/crlnumber but there may be more changes than that.