--crl-verify crl ['dir']
Check peer certificate against the file crl in PEM format.
A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact.
Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI.
The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised.
If the optional dir flag is specified, enable a different mode where crl is a directory containing files named as revoked serial numbers (the files may be empty, the contents are never read). If a client requests a connection, where the client certificate serial number (decimal string) is the name of a file present in the directory, it will be rejected.
Note: As the crl file (or directory) is read every time a peer connects, if you are dropping root privileges with --user, make sure that this user has sufficient privileges to read the file.
--crl-verify does not check whether the CRL is correctly signed by the CA. It merely checks that the CRL issuers matches the CA CN. Therefore, users should ensure that the supplied CRL is correct.
OpenVPN 2.4 and newer resolve this issue.