Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    revoking a certificate on two different routers?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 484 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I have two routers, one in our HQ and one in our DR.

      Both are setup with matching OpenVPN servers (except different tunnel nets).

      Clients are configured to connect to HQ and failover to DR.

      I exported the CA from HQ to the DR router.

      I create certificates on the HQ router for each user.

      The only way I know how to revoke them on the DR router, is to import their cert from the HQ to the DR, then revoke it.

      Is this the best way to deal with this?

      Is my general CA setup a good one for OpenVPN?

      Is their anyway to publish a CRL with pfS?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Delete the CRL on the second server, re-create it as an imported CRL using an export from the "master". Then you can revoke certificates on the "master" server and export then re-import the CRL on the other (edit and paste the new export).

        https://www.netgate.com/docs/pfsense/book/certificates/certificate-revocation-list-management.html

        I don't see any way to automate that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett
          last edited by

          Ok, that seems to work for me!
          Thank you for the help.

          I wish the following improvements could be made...

          • When editing an imported CRL, it requires the description to be re-entered, seems like that should at-least default to the current description
          • Exporting a CRL generates a file download, but importing requires a form entry, seems like those should both use the same method
          • The ability to "publish" a CRL on one pfS box, and "subscribe" to it on another would be a great feature, or some type of push/pull mechanism
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Glad that looks like a viable option for you.

            FYI the proper channel for feature requests is to open a feature request at https://redmine.pfsense.org/

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.