Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    revoking a certificate on two different routers?

    OpenVPN
    2
    4
    136
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett last edited by

      I have two routers, one in our HQ and one in our DR.

      Both are setup with matching OpenVPN servers (except different tunnel nets).

      Clients are configured to connect to HQ and failover to DR.

      I exported the CA from HQ to the DR router.

      I create certificates on the HQ router for each user.

      The only way I know how to revoke them on the DR router, is to import their cert from the HQ to the DR, then revoke it.

      Is this the best way to deal with this?

      Is my general CA setup a good one for OpenVPN?

      Is their anyway to publish a CRL with pfS?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Delete the CRL on the second server, re-create it as an imported CRL using an export from the "master". Then you can revoke certificates on the "master" server and export then re-import the CRL on the other (edit and paste the new export).

        https://www.netgate.com/docs/pfsense/book/certificates/certificate-revocation-list-management.html

        I don't see any way to automate that.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett last edited by

          Ok, that seems to work for me!
          Thank you for the help.

          I wish the following improvements could be made...

          • When editing an imported CRL, it requires the description to be re-entered, seems like that should at-least default to the current description
          • Exporting a CRL generates a file download, but importing requires a form entry, seems like those should both use the same method
          • The ability to "publish" a CRL on one pfS box, and "subscribe" to it on another would be a great feature, or some type of push/pull mechanism
          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Glad that looks like a viable option for you.

            FYI the proper channel for feature requests is to open a feature request at https://redmine.pfsense.org/

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post