How can i revoke a certificate?
-
Hello everybody,
I finally have managed to give my Windows Phone user access to our network via PfSense. Works greate so far. I created a CA, Server Certificate and some User Certificates. Installed User and CA Certificate on the Windows Phones (Lumia 535) and it worked. I basiclly used those two guides https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS .
It works soooo good that i dont have any idear how to block any users from accessing it. I need to make sure that i can block a user if he/she loses his/her cell phone. I already looked at the certificate revoke list but with this config i dont see any options to choose a crl. What am i missing ?
Greetings
Yasha86 -
You create a CRL in the Cert Manager as usual. You don't pick a CRL to use, but the CRLs for the mobile IPsec CA are picked up automatically.
-
I did this, but i still can connect.
My Settings:
• I created a CA certificate lets call it CACert
• I created a server certificate lets call it SRVCert signed by my CACert
• I created user certificats called user1 signed by my CACertGeneral Information
Key Exchange version: V2
Internet Protocal: IPv4
Interface: WANPhase 1 Proposal(Authentication)
Authentication Method: EAP-TLS
My identifier: Distinguished name: mypfsense.mydomain.com
Peer identifier: Any
My Certificate: SRVCert
Peer Certificate Authority: CACertPhase 1 Proposal (Algorithms)
Encryption Algorithm: 3DES
Hash Algorithm: SHA1
DH Group: 2(1024 bit)
Lifetime(Seconds): 28800Advanced Options
Only Dead Peer Detection ist checked. Everything else is not checked or diabled.I tryed checking „Strict CRL Checking“ under Advanced IPsec Settings (Advanced Settings) but that didnt change a thing.
I think there is a problem with my certificates or the fact that i choose Peer identifier: any ?
Not sure.By the way i forgot to mention i am using Version 2.3.1
-
Did you make a CRL for that CA under System > Cert Manager, Certificate Revocation tab, and did you add that user certificate to that CRL?
-
yes and i can still connect to my pfsense with this phone with this certificate. Thats my problem :)
-
Did you save/apply on the mobile IPsec P1 after updating the CRL?
It appears that strongSwan needs to be refreshed before it will pick up the new CRL contents. I had to apply settings after adding CRL entries and I had to do a full stop/start when removing CRL entries.
-
Thanks. I think it is fixed now… I installed a fresh pfsense and configured it the same way. Now it is working... The only main difference is, that this time i creaded the certificates in the order: ca-> crl-> server certificate -> user certificate.... not sure if that did change anything... but ok :) thanks anyway for the help
-
Hi,
- create a new revocation list from System->CertManager->CertificateRevocation
- add the certificates that you do not want to be active any more
- assign the new revocation list to the vpn server in my case VPN->OpenVPN->Servers
You can easily choose your revocation list from the combobox Peer Certificate Revocation list.
do not need to restart or refresh the change is immediatelybye
Domenico