• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Understanding config.xml

Scheduled Pinned Locked Moved Development
3 Posts 2 Posters 450 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    Pareidolia
    last edited by Mar 27, 2025, 10:24 PM

    I've been writing a bash script that parses config.xml and decodes the certs to basically trigger some janitorial duty for the sysadmins. I'm trying to understand the logic of pfs after noticing that the users we have disabled + revoked their certs appear to have both a valid cert remaining in config.xml as well as a clone of that cert that's tagged as revoked. Is this normal?
    I see that both certs use the same reference ID <refid> originating within the user. Things were so messy here after years of accumulated trash in the routers that I started writing filter criteria to spotlight stray users and potentially orphaned certs.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Mar 31, 2025, 2:31 PM

      The way pfSense generates CRLs, it carries a copy of the revoked certificate in the CRL so that it always has sufficient information to rebuild the CRL as needed, even if the original certificate was deleted.

      The original certificate isn't removed because someone could have the same certificate used in multiple places, but only revoked in one place. Certificates are not revoked universally, only in the context of a specific CRL.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      P 1 Reply Last reply Apr 5, 2025, 3:16 AM Reply Quote 0
      • P
        Pareidolia @jimp
        last edited by Apr 5, 2025, 3:16 AM

        @jimp oh cool, it never even occurred to me that ppl would carry around a universal cert

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received