OpenVPN remove client
-
Each client has to have his unique cert. If you revoke one that cert is no longer accepted by the server.
If multiple clients use a single cert you will have a problem.@Allwan said in OpenVPN remove client:
if I revoke the "CERT_VPN_ALLWAN" certificate
The user certs have different names, "CERT_VPN_ALLWAN" is the issuer.
-
when I create a client, I choose this certificate
It's not good? because all my clients are like this :(
-
No, you choose the CA (issuer) here which is signing the client cert.
-
so where do i remove the user certificate?
-
@Allwan
Revoke not remove! The cert must still exist on pfSense.
If you haven't already any, add a Certificate Revocation List (CRL) to your CA.
Then you're able to add user certs to this list which you want to revoke, so that the cert can no longer be used to authenticate.Add the CRL to your OpenVPN servers settings:
-
But I have deleted the certificate from the list of certificates suddenly I cannot revoke it.
-
@Allwan
Then you're lost. You need the certificate to revoke it.The OpenVPN is configured to accept any user cert which is issued by the CA you've set, as long it isn't in the selected CRL.
Possibly you can restore the cert from a backup.
-
@viragomann said in OpenVPN remove client:
Then you're lost. You need the certificate to revoke it.
The OpenVPN is configured to accept any user cert which is issued by the CA you've set, as long it isn't in the selected CRL.
Possibly you can restore the cert from a backup.Very well i understand
thanks anyway -
pfSense automatically saves config history:
Possibly you can temporarily revert to a config where the cert still exists, use the cert manager to export it and the key and after revert back to the actual config.
-
ah great !!!!
very happy, I was able to find him.thanks you
-
But I still have a connection.
-
@Allwan
After revoking the cert, the client can still connect?
Existing connections are not cut when adding the respective cert to the CRL.Did you assing the CRL the server?
-
i will see
-
Just kill the connection:
-
Just for my understanding.
If you're changing the users passwd in the user manager & kill the connection.
Would that not prevent the user to login again ?
If not , then what good is the uid/pwd ??I'd still revoke the cert , if i needed to ban a user permaneltly.
But for a temporarily disable (enable) login , i had hoped to use the
User Expiration date.Ie. a Consultant that would have 1 week access for this specific task , and might need access later on.
/Bingo
-
@bingo600 said in OpenVPN remove client:
Would that not prevent the user to login again ?
Sure, it does, when the server is in a "User auth" mode.
You can also revoke a user cert temporarily. After removing from the CRL it is accepted again by the server.
Also consider, when "Strict User-CN Matching" in the server settings is not checked it will be possible for a user to use another ones cert for authentication.
-
@viragomann said in OpenVPN remove client:
@bingo600 said in OpenVPN remove client:
Would that not prevent the user to login again ?
Sure, it does, when the server is in a "User auth" mode.
You can also revoke a user cert temporarily. After removing from the CRL it is accepted again by the server.
Also consider, when "Strict User-CN Matching" in the server settings is not checked it will be possible for a user to use another ones cert for authentication.
I'm using this (SSL/TLS + User auth)
And have
Thanx for the confirmation
/Bingo
