Block OpenVPN Client Certificates that aren't in Cert Manager

Optimaximal · Aug 1, 2013, 9:49 AM

Is there a option to tell pfSense to block/refuse OpenVPN Certificates that aren't in the Certificate Manager?

I'm not sure whether it's intentional or not, but if a certificate is deleted, the OpenVPN connection will still be created using the deleted certificate - it only refuses the connection if it's revoked or the cert has expired.

Obviously, this presents a security issue if a certificate is deleted (accidentally or intentionally) because there's then no way to revoke it.

Any ideas? We're currently running 2.0.2-RELEASE.

jimp · Aug 1, 2013, 12:16 PM

You have to revoke the certificate (Create a CRL, then add it to a CRL), and then use that CRL on your OpenVPN instance. That's the only way to make it reject certificates.

A certificate is valid so long as it was generated from the same CA as the server, and so long as it is not present in a CRL.

You can check the config history to find the old cert, add it back, then revoke it properly before deleting it. Or find a copy of the cert some other way and revoke, then delete.

Optimaximal · Aug 1, 2013, 12:32 PM

Fair enough. I have the CRL in place, I guess I was just surprised that pf didn't add/suggest adding the Certificate to a CRL when you delete it. I don't want the system to do my administration for me (it shouldn't have to) but it seems an oversight that new users of the system would not be prepared for.

When you say 'check the config history', is that a specific area in PF where this is logged?

jimp · Aug 1, 2013, 12:44 PM

Diagnostics > Backup/Restore, config history tab. On a full install, the last 30 configuration files are there to see, download, diff, etc.

There is an open ticket somewhere to enhance the cert deletion process so it prompts first to revoke. That may get done for 2.2.

Optimaximal · Aug 1, 2013, 1:42 PM

Alas, I've made several changes to the firewall since then so they're lost to the ether.

Luckily, they're all internal certificates at this point.

jimp · Aug 1, 2013, 1:44 PM

Presumably if you have the client still there to test that it still worked, you have the certificate there on the client PC.
Just grab the cert from the OpenVPN config dir and import it back into the pfSense GUI.