OpenVPN remove client

viragomann

No, you choose the CA (issuer) here which is signing the client cert.

Allwan

so where do i remove the user certificate?

viragomann

@Allwan
Revoke not remove! The cert must still exist on pfSense.

If you haven't already any, add a Certificate Revocation List (CRL) to your CA.
Then you're able to add user certs to this list which you want to revoke, so that the cert can no longer be used to authenticate.

Add the CRL to your OpenVPN servers settings:

Allwan

But I have deleted the certificate from the list of certificates suddenly I cannot revoke it.

viragomann

@Allwan
Then you're lost. You need the certificate to revoke it.

The OpenVPN is configured to accept any user cert which is issued by the CA you've set, as long it isn't in the selected CRL.

Possibly you can restore the cert from a backup.

Allwan

@viragomann said in OpenVPN remove client:

Then you're lost. You need the certificate to revoke it.
The OpenVPN is configured to accept any user cert which is issued by the CA you've set, as long it isn't in the selected CRL.
Possibly you can restore the cert from a backup.

Very well i understand
thanks anyway

viragomann

@Allwan

pfSense automatically saves config history:

Possibly you can temporarily revert to a config where the cert still exists, use the cert manager to export it and the key and after revert back to the actual config.

Allwan

ah great !!!!
very happy, I was able to find him.

thanks you

Allwan

But I still have a connection.

viragomann

@Allwan
After revoking the cert, the client can still connect?
Existing connections are not cut when adding the respective cert to the CRL.

Did you assing the CRL the server?

Allwan

i will see

viragomann

Just kill the connection:

bingo600

Just for my understanding.

If you're changing the users passwd in the user manager & kill the connection.
Would that not prevent the user to login again ?
If not , then what good is the uid/pwd ??

I'd still revoke the cert , if i needed to ban a user permaneltly.

But for a temporarily disable (enable) login , i had hoped to use the
User Expiration date.

Ie. a Consultant that would have 1 week access for this specific task , and might need access later on.

/Bingo

viragomann

@bingo600 said in OpenVPN remove client:

Would that not prevent the user to login again ?

Sure, it does, when the server is in a "User auth" mode.

You can also revoke a user cert temporarily. After removing from the CRL it is accepted again by the server.

Also consider, when "Strict User-CN Matching" in the server settings is not checked it will be possible for a user to use another ones cert for authentication.

bingo600

@viragomann said in OpenVPN remove client:

@bingo600 said in OpenVPN remove client:

Would that not prevent the user to login again ?

Sure, it does, when the server is in a "User auth" mode.

You can also revoke a user cert temporarily. After removing from the CRL it is accepted again by the server.

Also consider, when "Strict User-CN Matching" in the server settings is not checked it will be possible for a user to use another ones cert for authentication.

I'm using this (SSL/TLS + User auth)

And have

Thanx for the confirmation

/Bingo