Disabling some certificates

tunge2 · Apr 25, 2007, 1:48 PM

Hello,

Is it possible to disable some client certificates in PFsense? Example: what if a college is leaving the company and I want to disable her openvpn dial-in account on PFsense?? The big question is: how can I disable his/her openvpn client certificate in PFsense?

http://openvpn.net/howto.html (could nog find it in the howto)

Keep up the good work!!!!!

tunge2 · Apr 25, 2007, 1:54 PM

Is this possible with PFsense?

Revoking Certificates
Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.

Typical reasons for wanting to revoke a certificate include:

The private key associated with the certificate is compromised or stolen.
The user of an encrypted private key forgets the password on the key.
You want to terminate a VPN user's access.
Example
As an example, we will revoke the client2 certificate, which we generated above in the "key generation" section of the HOWTO.

First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation" section above. On Linux/BSD/Unix:

. ./vars
./revoke-full client2
On Windows:

vars
revoke-full client2

GruensFroeschli · Apr 25, 2007, 3:31 PM

you can insert on the OpenVPN config page a certificate revocation list (CRL) in PEM format.

tunge2 · Apr 27, 2007, 12:47 PM

where can i find this option CRL (certificate revocation list) ??? ??? ???

Check this to block (disable) this client, based on its common name. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead.

GruensFroeschli · Apr 27, 2007, 4:10 PM

quote from readme.txt:

To revoke a TLS certificate and generate a CRL file:
1. vars
2. revoke-full <machine-name>3. verify last line of output confirms revokation
4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename="">"</crl></machine-name>

after revoking your compromised client, in your "keys" directory (or wherever your generated key appear) will be a new file called "crl.pem"
open it and copy the content of it into this field:

Sharaz · Jul 25, 2007, 10:08 PM

ive been working on getting a CRL generated, but each time i do, i get errors.

(hesitant to post all my output, as it has lots of information pertaining to one of my clients).

has anyone else sucessfully revoked a cert, and if so, how did you do it?