Certificate Revokation appears to be the major method OpenVPN supports. In order to do this securely, you must be certain that you know about every signed certificate ever created. Perhaps some environments can rely on this, but we can't.
Therefor, the only sure way to allow only certain people onto the network is to reenerate the certificates (both server and client), reissue them, and then reconfigure all the clients. That's definitely an ugly process.
I think the best bet is to enable an alternative authentication method, use that to allow/restrict access, and not worry so much about revoking certificates.