diff --git a/manifests/revoke.pp b/manifests/revoke.pp
index 67d926ef..fd3aa03a 100644
--- a/manifests/revoke.pp
+++ b/manifests/revoke.pp
@@ -25,10 +25,40 @@
 
   $etc_directory = $openvpn::etc_directory
 
-  exec { "revoke certificate for ${name} in context of ${server}":
-    command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
-    cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
-    creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
-    provider => 'shell',
+  case $openvpn::easyrsa_version {
+    '2.0': {
+      exec { "revoke certificate for ${name} in context of ${server}":
+        command  => ". ./vars && ./revoke-full ${name}; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/${name}",
+        cwd      => "${etc_directory}/openvpn/${server}/easy-rsa",
+        creates  => "${etc_directory}/openvpn/${server}/easy-rsa/revoked/${name}",
+        provider => 'shell',
+      }
+    }
+    '3.0': {
+      if $openvpn::manage_service {
+        if $facts['service_provider'] == 'systemd' {
+          $lnotify = Service["openvpn@${server}"]
+        } elsif $openvpn::namespecific_rclink {
+          $lnotify = Service["openvpn_${server}"]
+        } else {
+          $lnotify = Service['openvpn']
+          Openvpn::Server[$server] -> Service['openvpn']
+        }
+      }
+      else {
+        $lnotify = undef
+      }
+
+      exec { "revoke certificate for ${name} in context of ${server}":
+        command  => ". ./vars && echo yes | ./easyrsa revoke ${name} 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/${name}",
+        cwd      => "/etc/openvpn/${server}/easy-rsa",
+        creates  => "/etc/openvpn/${server}/easy-rsa/revoked/${name}",
+        provider => 'shell',
+        notify   => $lnotify,
+      }
+    }
+    default: {
+      fail("unexepected value for EasyRSA version, got '${openvpn::easyrsa_version}', expect 2.0 or 3.0.")
+    }
   }
 }
diff --git a/spec/defines/openvpn_revoke_spec.rb b/spec/defines/openvpn_revoke_spec.rb
index 75b8eeec..4d0bfcc1 100644
--- a/spec/defines/openvpn_revoke_spec.rb
+++ b/spec/defines/openvpn_revoke_spec.rb
@@ -25,11 +25,24 @@
 
       it { is_expected.to compile.with_all_deps }
 
-      it {
-        is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
-          'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
-        )
-      }
+      case facts[:os]['family']
+      when 'Ubuntu', 'Debian'
+        context 'system with easyrsa2' do
+          it {
+            is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
+              'command' => ". ./vars && ./revoke-full test_client; echo \"exit $?\" | grep -qE '(error 23|exit (0|2))' && touch revoked/test_client"
+            )
+          }
+        end
+      when 'CentOS', 'RedHat', %r{Archlinux}, %r{FreeBSD}
+        context 'system with easyrsa3' do
+          it {
+            is_expected.to contain_exec('revoke certificate for test_client in context of test_server').with(
+              'command' => ". ./vars && echo yes | ./easyrsa revoke test_client 2>&1 | grep -E 'Already revoked|was successful|not a valid certificate' && ./easyrsa gen-crl && /bin/cp -f keys/crl.pem ../crl.pem && touch revoked/test_client"
+            )
+          }
+        end
+      end
     end
   end
 end