System: Certificate Revocation List Manager => Export missing?
-
Hi,
I tested to create a possible certificate structure with intermediate ca certificates in
departments but same problem exists if multiple firewalls use same ca for certificates.There is actual no function (need?) for exporting crls or made them accessible by URL ?
Normally this could be nice setup:
- on 1st / main firewall the CA is created/maintained and
- on all other maintained firewalls the CA pub key can be imported.
After this initial setup it could be possible to
- create clients on main firewall and
- import client certs to needed firewalls only / or "all".
Even nicer would be also an automatic spreaded setup.
The more important task for activate users is to deactivate them sometimes later.
As it seems it can be done actually only manually and therefore it would be not so
easy to have the overview where the client was added and where not.-
The easy thing for it is normally the CRL which is public available an can be requested
everytime. -
If not by URL than it could also be ok if there could be a background tasks setup for
export/import them regulary to all needed firewalls.
But as I see right there is actual no process for this possible ? -
and there is also no manual export of CRL possible ? :( (only import of it)
Bests
Reiner
-
There is an export button for CRLs. At least on 2.1 there is.
-
There is an export button for CRLs. At least on 2.1 there is.
mmh, but the button appears only when one or more certs are revoked ?
Thats not so good because for OpenVPN server setup the CRL must be referenced … so I can do it only on the main but not on external firewalls...
-
Ah, that does make sense. We made accommodations for "empty" CRLs in OpenVPN a while back but I didn't go back and allow exporting an empty CRL.
Fixed now, https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e
-
Ah, that does make sense. We made accommodations for "empty" CRLs in OpenVPN a while back but I didn't go back and allow exporting an empty CRL.
Fixed now, https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e
thx… now it works fine for 2.1...
Here the same patch for 2.0.3:
--- /usr/local/www/system_crlmanager.php.orig 2013-04-12 16:31:46.000000000 +0200 +++ /usr/local/www/system_crlmanager.php 2013-11-29 18:50:46.000000000 +0100 @@ -580,11 +580,9 @@ - [![](/themes/<?= $g['theme'];?>/images/icons/icon_down.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=exp&id=<?=$tmpcrl['refid'];?>) - [![](/themes/<?= $g['theme'];?>/images/icons/icon_e.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>) ``` [but there is one problem: the exported CRL has no content. I would try to also create a patch for this problem but didn't find the right codesegment which should have a problem.](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>)
-
It's not the same patch. It's missing the most important part near the top that makes it not empty.
-
ah yes… I have later forgot/overseen the 1st change which calls the update routine...
--- /usr/local/www/system_crlmanager.php.orig 2013-04-12 16:31:46.000000000 +0200 +++ /usr/local/www/system_crlmanager.php 2013-11-29 23:21:22.000000000 +0100 @@ -107,6 +107,7 @@ } if ($act == "exp") { + crl_update($thiscrl); $exp_name = urlencode("{$thiscrl['descr']}.crl"); $exp_data = base64_decode($thiscrl['text']); $exp_size = strlen($exp_data); @@ -580,11 +581,9 @@ - [![](/themes/<?= $g['theme'];?>/images/icons/icon_down.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=exp&id=<?=$tmpcrl['refid'];?>) - [![](/themes/<?= $g['theme'];?>/images/icons/icon_e.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>)