CRL with intermediate CA doesnt revoke certificate
-
Re: CRL openvpn doesnt work
I have checked that doesnt work CRL with intermediate CA, however I created another openvpn server with only CA and CRL works perfectly.
Anyone knows why?
Thanks. -
It looks to me like a bug in OpenSSL CRL validation with certificates signed by an intermediate CA, and not necessarily with OpenVPN or pfSense. I've tried several different methods but I haven't been able to get a working result from an intermediate CA CRL with OpenVPN or even OpenSSL directly. I get similar OpenSSL failures on pfSense, FreeBSD, and Linux so it does not appear to be isolated to pfSense.
I've opened https://redmine.pfsense.org/issues/9889 with some details, but I may need to open a bug report upstream in OpenSSL as well.