revoking a certificate on two different routers?



  • I have two routers, one in our HQ and one in our DR.

    Both are setup with matching OpenVPN servers (except different tunnel nets).

    Clients are configured to connect to HQ and failover to DR.

    I exported the CA from HQ to the DR router.

    I create certificates on the HQ router for each user.

    The only way I know how to revoke them on the DR router, is to import their cert from the HQ to the DR, then revoke it.

    Is this the best way to deal with this?

    Is my general CA setup a good one for OpenVPN?

    Is their anyway to publish a CRL with pfS?


  • LAYER 8 Netgate

    Delete the CRL on the second server, re-create it as an imported CRL using an export from the "master". Then you can revoke certificates on the "master" server and export then re-import the CRL on the other (edit and paste the new export).

    https://www.netgate.com/docs/pfsense/book/certificates/certificate-revocation-list-management.html

    I don't see any way to automate that.



  • Ok, that seems to work for me!
    Thank you for the help.

    I wish the following improvements could be made...

    • When editing an imported CRL, it requires the description to be re-entered, seems like that should at-least default to the current description
    • Exporting a CRL generates a file download, but importing requires a form entry, seems like those should both use the same method
    • The ability to "publish" a CRL on one pfS box, and "subscribe" to it on another would be a great feature, or some type of push/pull mechanism

  • LAYER 8 Netgate

    Glad that looks like a viable option for you.

    FYI the proper channel for feature requests is to open a feature request at https://redmine.pfsense.org/


Log in to reply