How can i revoke a certificate?



  • Hello everybody,

    I finally have managed to give my Windows Phone user access to our network via PfSense. Works greate so far. I created a CA, Server Certificate and some User Certificates. Installed User and CA Certificate on the Windows Phones (Lumia 535) and it worked. I basiclly used those two guides https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 and https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS .

    It works soooo good that i dont have any idear how to block any users from accessing it. I need to make sure that i can block a user if he/she loses his/her cell phone. I already looked at the certificate revoke list but with this config i dont see any options to choose a crl. What am i missing ?

    Greetings
    Yasha86


  • Rebel Alliance Developer Netgate

    You create a CRL in the Cert Manager as usual. You don't pick a CRL to use, but the CRLs for the mobile IPsec CA are picked up automatically.



  • I did this, but i still can connect.

    My Settings:

    • I created a CA certificate lets call it CACert
    • I created a server certificate lets call it SRVCert signed by my CACert
    • I created user certificats called user1 signed by my CACert

    General Information
    Key Exchange version: V2
    Internet Protocal: IPv4
    Interface: WAN

    Phase 1 Proposal(Authentication)
    Authentication Method: EAP-TLS
    My identifier: Distinguished name: mypfsense.mydomain.com
    Peer identifier: Any
    My Certificate: SRVCert
    Peer Certificate Authority: CACert

    Phase 1 Proposal (Algorithms)
    Encryption Algorithm: 3DES
    Hash Algorithm: SHA1
    DH Group: 2(1024 bit)
    Lifetime(Seconds): 28800

    Advanced Options
    Only Dead Peer Detection ist checked. Everything else is not checked or diabled.

    I tryed checking „Strict CRL Checking“ under Advanced IPsec Settings (Advanced Settings) but that didnt change a thing.
    I think there is a problem with my certificates or the fact that i choose Peer identifier: any ?
    Not sure.

    By the way i forgot to mention i am using Version 2.3.1


  • Rebel Alliance Developer Netgate

    Did you make a CRL for that CA under System > Cert Manager, Certificate Revocation tab, and did you add that user certificate to that CRL?



  • yes and i can still connect to my pfsense with this phone with this certificate. Thats my problem :)


  • Rebel Alliance Developer Netgate

    Did you save/apply on the mobile IPsec P1 after updating the CRL?

    It appears that strongSwan needs to be refreshed before it will pick up the new CRL contents. I had to apply settings after adding CRL entries and I had to do a full stop/start when removing CRL entries.



  • Thanks. I think it is fixed now… I installed a fresh pfsense and configured it the same way. Now it is working... The only main difference is, that this time i creaded the certificates in the order: ca-> crl-> server certificate -> user certificate.... not sure if that did change anything... but ok :) thanks anyway for the help



  • Hi,

    1. create a new revocation list from System->CertManager->CertificateRevocation
    2. add the certificates that you do not want to be active any more
    3. assign the new revocation list to the vpn server in my case VPN->OpenVPN->Servers

    You can easily choose your revocation list from the combobox Peer Certificate Revocation list.
    do not need to restart or refresh the change is immediately

    bye
    Domenico