Automatic CRL import. External CA - MS PKI

  • Hello all!
    I'm having a small problem or misunderstanding how CRL check should work. We want to use External PKI for generating OpenVPN certs for users (distribution is done using GPO and AD).

    Background - what was done:

    • We created an external CA by importing it's certs and without importing CA key
    • We imported external CA CRL firstly converting it to PEM format using certutil -encode. This CRL is visible in CRL list, but listed as Unknown(imported) but when I click download, CRL seems ok, it contains certs, date/time of revocation and all data.


    When selecting this CRL in OpenVPN Peer Cert Revocation List - VPN fails with TLS handshake time out.
    So I created internal pfsense subca signed by our external Root and created internal CRL.
    When internal CRL is selected in OpenVPN - vpn works and clients can connect.


    What's the point of having subca only for revoking certs while we already have this covered in root CA(please, do not start discussion regarding root/sub CA chain, security etc. - it's not the case here :)).

    What I want:

    • Make OpenVPN actually use imported CRL since list itself seems to work and doesn't produce any errors on import and can be successfully exported
    • Make pfsense automatically fetch/import published CRL from CRL distribution point (some crone job, maybe) and update imported CRL
      This way we would avoid creating different CA just for managing VPN Certs.

    Please comment on this approach and point to some docs, file and config locations