Understanding config.xml
-
I've been writing a bash script that parses config.xml and decodes the certs to basically trigger some janitorial duty for the sysadmins. I'm trying to understand the logic of pfs after noticing that the users we have disabled + revoked their certs appear to have both a valid cert remaining in config.xml as well as a clone of that cert that's tagged as revoked. Is this normal?
I see that both certs use the same reference ID <refid> originating within the user. Things were so messy here after years of accumulated trash in the routers that I started writing filter criteria to spotlight stray users and potentially orphaned certs. -
The way pfSense generates CRLs, it carries a copy of the revoked certificate in the CRL so that it always has sufficient information to rebuild the CRL as needed, even if the original certificate was deleted.
The original certificate isn't removed because someone could have the same certificate used in multiple places, but only revoked in one place. Certificates are not revoked universally, only in the context of a specific CRL.