pfSense Certificate Manager's Revocation list (CRL) is unavailable

johnpoz

@bigtfromaz said in pfSense Certificate Manager's Revocation list (CRL) is unavailable:

The client needs to fetch the CRL in order to check revocations.

Very true - can you not just place the crl on this machine running hyper-v, or can you not just disable the check.. if you look at the properties of any CA in the systems store, you should be able to add a url or disable it.

bigtfromaz

@johnpoz I just tried disabling on the root cert and the server certificate. No change in behavior. I am wondering if the checkbox indicates to use OCSP only. In other words, the CRL is not tried but no OCSP URL you still get the same error. Adding an additional CRL endpoint might be useful but I'm not seeing it in the properties.

bigtfromaz

@johnpoz to answer your first question, it won't change anything. At this point there is no CRL endpoint defined in the server certificate so the client isn't even trying to connect to the CRL server. So I am now believing that unable to check revocation for the certificate mean just that. It's unable because it doesn't know where to begin.

BassStation70

@bigtfromaz Did you try disabling this in the Certificate store which the particular client uses for it's trusted root. As I understand it, this setting will only indicate a different behavior to the clients who use that specific certificate store. If you made the change in Current User as yourself, it will only affects clients that you run. If you want to have this change behavior of another user, run the mmc as that user or else update the 'Local Computer' certificate store on the device (requires admin privilege) where the picky client is running. I don't know how it will behave in your particular case, but I'm pretty sure it matters where you make the change.

johnpoz

@bigtfromaz what about this

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication" /v 
DisableCertRevocationCheck /d 1 /t REG_DWORD /f

Quick google about hyper-v replication and the check seems to point to turning off the check in the registry.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/virtualization/feature-performance-optimization-hyper-v-replica

DisableCertRevocationCheck

Description: Hyper-V Replica supports certificate based mutual authentication, which allows the primary server to connect to the replica server over HTTPS. When establishing this connection, as part of validating the certificate, Hyper-V Replica checks if the issuing Certificate Authority (CA) has revoked the certificate.

However, due to deployment restrictions, this check would fail if the certificate revocation list (CRL) distribution point (CDP) is inaccessible. The check would also fail if self-signed certificates (generated using makecert) were used in lab deployments. Administrators can work around this restriction by setting this key.

Supported Values: 0, 1

Input interpretation:
0: Certificate revocation check is enabled
1: Certificate revocation check is disabled Default value: 0

Primary/Replica server: This key can be set in both the primary and replica servers as required.

bigtfromaz

@BassStation70 I made the change to the Local Computer store. It's Hyper-V logging on as Local System. Hyper-V is showing the cert to me beforehand and it's using the correct certificate. I may be able to find a setting, group policy or registry hack and get windows to bypass the check.

In any event, we have drifted off topic as it relates to pfSense. I'll post again for edification after I sort it out.

bigtfromaz

@johnpoz well..as I was postulating my last response you were off doing my work for me! I'll give it a shot.

johnpoz

@bigtfromaz hehe - when I get curious about something, if not a simple fix - I look for other ways to skin the cat ;)

bigtfromaz

@johnpoz And the certificate has been accepted. You gotta love Microsoft. Why not just expose it in the configuration dialog?

johnpoz

@bigtfromaz said in pfSense Certificate Manager's Revocation list (CRL) is unavailable:

Why not just expose it in the configuration dialog?

Well they prob want you to use certs from their CA, etc. But yeah I hear yeah..

But then - this would of never been brought up, and I wouldn't of learned something new ;) Part of the reason I have stuck around here for so long and love helping people. Is helping someone figure out something almost always leads to people on both sides of the problem learning something..

And it brings up a possible feature request to expose being able to add a crl distribution uri in the gui, which would be win everyone using pfsense cert manager for more than just openvpn ;) or the webgui of pfsense. I use it for all my local certs.. I have not run into needing to publish the crl, but I can see how it would be a bonus addition to the cert manager. Even if not hosting the crl off pfsense, but just being able to easy add the uri for the distribution point.