User cert revoked by itself.
-
Hi guys,
I have a weird issue and I hope you'll help me to clarify it. It's second time I've been contacted by user with OpenVPN connection problem. When I checked the user certificate status it was labeled as "Revoked User Cert"
Then I've reissued the certificate and problem was solved. But I don't understand the root cause. I had no this user certificate in any of my CRLs, moreover the certificates I use to revoke intentionally via CRL have status "Revoked" in System->Certificate Manager->Certificates menu. pfSense config hasn't been changed also (I use the latest version 2.6.0-RELEASE (amd64)).
What could be the reason for this revocation? Thank you. -
This post is deleted! -
Certificates are revoked by serial number. If you somehow have multiple certificates from the same CA with the same serial number, revoking one will end up revoking all certificates with the same serial number issued by that CA.
This can happen if you export/import the CA to another system but don't set the correct "Next Serial" when importing. For example if you made 10 certs from a CA (starts at serial 1), then imported the CA to a new system and didn't set it, the first 10 certs you make will have the same serial number as the one generated on the previous system.
Using the random serial number option on a CA is a good way to avoid this as well as improving security. You can edit the CA entry and turn this on at any time.
You will need to generate new certificates for anyone that has an overlapping serial number.
You can check the serials by looking at the certificate properties in the certificate list.
-
@jimp thanks a lot, this is exactly my case. Cheers!
