How can i revoke a certificate?



  • Hello everybody,

    I finally have managed to give my Windows Phone user access to our network via PfSense. Works greate so far. I created a CA, Server Certificate and some User Certificates. Installed User and CA Certificate on the Windows Phones (Lumia 535) and it worked. I basiclly used those two guides https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS .

    It works soooo good that i dont have any idear how to block any users from accessing it. I need to make sure that i can block a user if he/she loses his/her cell phone. I already looked at the certificate revoke list but with this config i dont see any options to choose a crl. What am i missing ?

    Greetings
    Yasha86


  • Rebel Alliance Developer Netgate

    You create a CRL in the Cert Manager as usual. You don't pick a CRL to use, but the CRLs for the mobile IPsec CA are picked up automatically.



  • I did this, but i still can connect.

    My Settings:

    • I created a CA certificate lets call it CACert
    • I created a server certificate lets call it SRVCert signed by my CACert
    • I created user certificats called user1 signed by my CACert

    General Information
    Key Exchange version: V2
    Internet Protocal: IPv4
    Interface: WAN

    Phase 1 Proposal(Authentication)
    Authentication Method: EAP-TLS
    My identifier: Distinguished name: mypfsense.mydomain.com
    Peer identifier: Any
    My Certificate: SRVCert
    Peer Certificate Authority: CACert

    Phase 1 Proposal (Algorithms)
    Encryption Algorithm: 3DES
    Hash Algorithm: SHA1
    DH Group: 2(1024 bit)
    Lifetime(Seconds): 28800

    Advanced Options
    Only Dead Peer Detection ist checked. Everything else is not checked or diabled.

    I tryed checking „Strict CRL Checking“ under Advanced IPsec Settings (Advanced Settings) but that didnt change a thing.
    I think there is a problem with my certificates or the fact that i choose Peer identifier: any ?
    Not sure.

    By the way i forgot to mention i am using Version 2.3.1


  • Rebel Alliance Developer Netgate

    Did you make a CRL for that CA under System > Cert Manager, Certificate Revocation tab, and did you add that user certificate to that CRL?



  • yes and i can still connect to my pfsense with this phone with this certificate. Thats my problem :)


  • Rebel Alliance Developer Netgate

    Did you save/apply on the mobile IPsec P1 after updating the CRL?

    It appears that strongSwan needs to be refreshed before it will pick up the new CRL contents. I had to apply settings after adding CRL entries and I had to do a full stop/start when removing CRL entries.



  • Thanks. I think it is fixed now… I installed a fresh pfsense and configured it the same way. Now it is working... The only main difference is, that this time i creaded the certificates in the order: ca-> crl-> server certificate -> user certificate.... not sure if that did change anything... but ok :) thanks anyway for the help



  • Hi,

    1. create a new revocation list from System->CertManager->CertificateRevocation
    2. add the certificates that you do not want to be active any more
    3. assign the new revocation list to the vpn server in my case VPN->OpenVPN->Servers

    You can easily choose your revocation list from the combobox Peer Certificate Revocation list.
    do not need to restart or refresh the change is immediately

    bye
    Domenico


Log in to reply