Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automatic CRL import. External CA - MS PKI

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      milosz.engel
      last edited by

      Hello all!
      I'm having a small problem or misunderstanding how CRL check should work. We want to use External PKI for generating OpenVPN certs for users (distribution is done using GPO and AD).

      Background - what was done:

      • We created an external CA by importing it's certs and without importing CA key
      • We imported external CA CRL firstly converting it to PEM format using certutil -encode. This CRL is visible in CRL list, but listed as Unknown(imported) but when I click download, CRL seems ok, it contains certs, date/time of revocation and all data.

      BUT

      When selecting this CRL in OpenVPN Peer Cert Revocation List - VPN fails with TLS handshake time out.
      So I created internal pfsense subca signed by our external Root and created internal CRL.
      When internal CRL is selected in OpenVPN - vpn works and clients can connect.

      BUT(again)

      What's the point of having subca only for revoking certs while we already have this covered in root CA(please, do not start discussion regarding root/sub CA chain, security etc. - it's not the case here :)).

      What I want:

      • Make OpenVPN actually use imported CRL since list itself seems to work and doesn't produce any errors on import and can be successfully exported
      • Make pfsense automatically fetch/import published CRL from CRL distribution point (some crone job, maybe) and update imported CRL
        This way we would avoid creating different CA just for managing VPN Certs.

      Please comment on this approach and point to some docs, file and config locations

      S 1 Reply Last reply Reply Quote 0
      • S
        sokosko @milosz.engel
        last edited by

        @milosz-engel
        for openvpn look here:
        openvpn-external-crl-automatic-renewing-openvpn-restart

        So... you could download the CRL with Curl, transfrom it in x509 and drop it where it is needed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.