How can i revoke a certificate?

yasha86

Hello everybody,

I finally have managed to give my Windows Phone user access to our network via PfSense. Works greate so far. I created a CA, Server Certificate and some User Certificates. Installed User and CA Certificate on the Windows Phones (Lumia 535) and it worked. I basiclly used those two guides https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS .

It works soooo good that i dont have any idear how to block any users from accessing it. I need to make sure that i can block a user if he/she loses his/her cell phone. I already looked at the certificate revoke list but with this config i dont see any options to choose a crl. What am i missing ?

Greetings
Yasha86

jimp

You create a CRL in the Cert Manager as usual. You don't pick a CRL to use, but the CRLs for the mobile IPsec CA are picked up automatically.

yasha86

I did this, but i still can connect.

My Settings:

• I created a CA certificate lets call it CACert
• I created a server certificate lets call it SRVCert signed by my CACert
• I created user certificats called user1 signed by my CACert

General Information
Key Exchange version: V2
Internet Protocal: IPv4
Interface: WAN

Phase 1 Proposal(Authentication)
Authentication Method: EAP-TLS
My identifier: Distinguished name: mypfsense.mydomain.com
Peer identifier: Any
My Certificate: SRVCert
Peer Certificate Authority: CACert

Phase 1 Proposal (Algorithms)
Encryption Algorithm: 3DES
Hash Algorithm: SHA1
DH Group: 2(1024 bit)
Lifetime(Seconds): 28800

Advanced Options
Only Dead Peer Detection ist checked. Everything else is not checked or diabled.

I tryed checking „Strict CRL Checking“ under Advanced IPsec Settings (Advanced Settings) but that didnt change a thing.
I think there is a problem with my certificates or the fact that i choose Peer identifier: any ?
Not sure.

By the way i forgot to mention i am using Version 2.3.1

jimp

Did you make a CRL for that CA under System > Cert Manager, Certificate Revocation tab, and did you add that user certificate to that CRL?

yasha86

yes and i can still connect to my pfsense with this phone with this certificate. Thats my problem :)

jimp

Did you save/apply on the mobile IPsec P1 after updating the CRL?

It appears that strongSwan needs to be refreshed before it will pick up the new CRL contents. I had to apply settings after adding CRL entries and I had to do a full stop/start when removing CRL entries.

yasha86

Thanks. I think it is fixed now… I installed a fresh pfsense and configured it the same way. Now it is working... The only main difference is, that this time i creaded the certificates in the order: ca-> crl-> server certificate -> user certificate.... not sure if that did change anything... but ok :) thanks anyway for the help

ne.domenicogmail.com

Hi,

1. create a new revocation list from System->CertManager->CertificateRevocation
2. add the certificates that you do not want to be active any more
3. assign the new revocation list to the vpn server in my case VPN->OpenVPN->Servers

You can easily choose your revocation list from the combobox Peer Certificate Revocation list.
do not need to restart or refresh the change is immediately

bye
Domenico