How do i revoke a user certificate from PFSense?
-
I am having trouble revoking a user certificate. the problem is the android phone can still connect using the vpn, even after restarting the phone. Using Strongswan on the phone.
I have found this topic so far, but this doesn't solve my problem:
https://forum.netgate.com/topic/102497/how-can-i-revoke-a-certificate/2
I created a list and revoked the user certificate (CA under System > Cert Manager, Certificate Revocation).
I also tried using "Enable strict Certificate Revocation List checking" but it doesn't make a difference.Could somebody tell me how to do this? If needed i could sum up my VPN settings of course.
-
@Operations said in How do i revoke a user certificate from PFSense?:
I created a list and revoked the user certificate (CA under System > Cert Manager, Certificate Revocation).
Did you also add that CRL to the OpenVPN server settings?
-
@viragomann
Thanks for your reply.No, i didn't no i had to do that since i am not using openVPN.
What do you suggest i do exactly? I looked and not sure what to do. The wizard? Or adding something?
I am not seeing how to add my CRL.
-
@Operations said in How do i revoke a user certificate from PFSense?:
No, i didn't no i had to do that since i am not using openVPN.
So how are you connecting to the server if the server is not running openvpn?
You have to add the crl to the server settings.
-
@Operations
No, forget it! I didn't realize that this is the IPSec section. -
In the pfSense book I just found this:
For IPsec, all CRLs are consulted and there is no selection as currently exists with OpenVPN.
-
when do users get a cert in ipsec? Don't they just use the KEY ID as their username? Never setup ipsec with such login before.
-
@johnpoz said in How do i revoke a user certificate from PFSense?:
when do users get a cert in ipsec? Don't they just use the KEY ID as their username? Never setup ipsec with such login before.
I am not really sure what you mean. I create a user certificate using the CA manager within pfsense. The manager points to my own Microsoft CA server.
I install that user + root certificate onto my Phone and create an IKEv2 EAP-TLS (certificate) profile within StrongSwan.
And normally when i delete the user certificate i cannot connect anymore. With this pfsense installation i am still able to connect. (Delete / Revoke has got the same end result)
