Up-to-date informations regarding certificate revocation (user)

gslongo

Dear users and team,

We are running on the latest 2.3 version and would like to know how to revoke user certificate. I can't find anything in the WebUI and on Internet informations seem obsolete.
Deleting a user certificate do not revoke it.

Could you please tell us how to revoke a specific user certificate ?

Thank you for advance,

Regards

jimp

Create a CRL (System > Cert Manager, Certificate Revocation tab), edit the CRL, pick a cert to revoke and the reason, then save.

If it's openvpn, edit the server and pick the CRL, then save. If it's IPsec, edit/save the P1 and it should write out the CRL, may have to stop/start (not restart) ipsec the first time the CRL is created. If it's something else, export the CRL and add it where you need it.

gslongo

@jimp:

Create a CRL (System > Cert Manager, Certificate Revocation tab), edit the CRL, pick a cert to revoke and the reason, then save.

If it's openvpn, edit the server and pick the CRL, then save. If it's IPsec, edit/save the P1 and it should write out the CRL, may have to stop/start (not restart) ipsec the first time the CRL is created. If it's something else, export the CRL and add it where you need it.

Hi !

Thank you for your answer.
Regarding the method you describe, I have to create/modify my CRL somewhere else (on an other computer/server using openssl commands) and then insert (by editing) the new one (X509 CRL). When I edit a CRL the interface says "Paste a Certificate Revocation List in X.509 CRL format here" and dot not ask for a certificate to revoke.
But what I would like to know is how to revoke a certificate without doing all of that manually, I mean, using the interface.

Maybe this feature can be found somewhere else ?

Thank you for advance

gslongo

@gslongo:

@jimp:

Create a CRL (System > Cert Manager, Certificate Revocation tab), edit the CRL, pick a cert to revoke and the reason, then save.

If it's openvpn, edit the server and pick the CRL, then save. If it's IPsec, edit/save the P1 and it should write out the CRL, may have to stop/start (not restart) ipsec the first time the CRL is created. If it's something else, export the CRL and add it where you need it.

Hi !

Thank you for your answer.
Regarding the method you describe, I have to create/modify my CRL somewhere else (on an other computer/server using openssl commands) and then insert (by editing) the new one (X509 CRL). When I edit a CRL the interface says "Paste a Certificate Revocation List in X.509 CRL format here" and dot not ask for a certificate to revoke.
But what I would like to know is how to revoke a certificate without doing all of that manually, I mean, using the interface.

Maybe this feature can be found somewhere else ?

Thank you for advance

OK I think I've found the reason why. It is because my CRL has been imported.. Then I cannot add certificates for revocation. It's sad. I do not understand why.. Could you explain ?

Thank you

jimp

You can't edit an imported CRL in that way. To revoke a certificate you have to have the CA and the CA's key available to sign the CRL. You can't simply add certs to a CRL without proper signing procedures.

If you create the CRL somewhere else, the firewall doesn't have all of the data it needs to add to the CRL.

gslongo

@jimp:

You can't edit an imported CRL in that way. To revoke a certificate you have to have the CA and the CA's key available to sign the CRL. You can't simply add certs to a CRL without proper signing procedures.

If you create the CRL somewhere else, the firewall doesn't have all of the data it needs to add to the CRL.

Thank you for answer.
Maybe I do not understand well but the everything come from an easy-rsa "PKI" and I have imported everything (CA & keys). What kind of data should be missing ?
Also, I investigated a bit and what I think (I mean in CRL management in pfsense) is the CRL is completely rebuilt on each update (eg: adding a certificate to revoke) because I see all certificates are kept and can be removed from the CRL (it seems… not tested). Can you confirm ?

Thanks !

jimp

It's designed to be either completely managed elsewhere, or completely managed on pfSense.

In order to revoke a certificate, pfSense needs to have the certificate present. Either in the cert list or on the CRL (it's copied there when you revoke it). The CRL is rebuilt that way because it has to be. It can't add to a CRL it didn't create, since it doesn't have the older certificates on hand to revoke.

If you make a new CRL and revoke everything all over again, then you can add to it. But you can't import a CRL and then add to that.

That's how it's always worked.