Certificate Manager - CRL Testing Needed

  • Rebel Alliance Developer Netgate

    My Certificate Revocation List (CRL) code has been checked in and complete for a couple weeks now, but I would appreciate some feedback from users on whether or not it works for them.

    In my testing I was able to make a CRL, select that CRL for an OpenVPN server, and then connect with a client, then disconnect. Then I revoked that user certificate, and the client could not reconnect. Delete the user cert from the CRL and then it can connect again.

    So for me it seemed to work as expected, but I would like to know if the behavior is the same for everyone else.

    It would also be helpful to know if you have done a 1.2.3 upgrade that included a CRL in the last week or so, if it imported that CRL properly.


  • Hi jimp,

    I just created an internal crl using the internal ca of my pfsense box which is also used for my openvpn servers
    I gave it a name "CRL Openvpn" and left all other values at default (serial=0 ?)
    Then in the openvpn server config I tried to select it in the dropdown menu for crls. There are two items: one reads "none" and the other is just empty..
    Then I tried to export that crl, but it didn't do anything.
    Then I tried to delete it, but unfortunately this didn't work either :(

    Edit: maybe it's not working for me because I have the cert tags 2 times in my config..

    I will do as you suggested in my thread and delete them under system.. and try again

  • Rebel Alliance Developer Netgate

    The name should show up, but it won't work properly until you revoke at least one certificate.

    The code that checks that part may need a little TLC.

  • Where in the gui would I revoke a certificate? After creating the crl there was no option in the crl tab, none in the certificates list and none when I edited a user with a certificate.
    In the CRL tab there is an edit button.. is it that one? A mouse-over shows "export crl" just like on the "download" button.
    When I click the "e" button, nothing happens..

  • Rebel Alliance Developer Netgate

    It should be the 'e', but it isn't working for me now either. Must be a change I forgot to check in. :-)

    I'll have a deeper look on Monday.

  • Rebel Alliance Developer Netgate

    Edit your config, do you have an "<crl>" tag? If so, remove it. Not sure how that might have gotten in there. I had one on one of my VMs also. Guess I need to add some code to check for that and fix/remove it.</crl>

  • Rebel Alliance Developer Netgate

    I just checked in a bunch of fixes for CRL management. Guess I couldn't wait until Monday :-)

    The case you were seeing should be fixed now.

  • When trying to import existing CRL, got error: "The following input errors were detected: * The field 'Certificate Revocation List data' is required.". Field CRL data, of course, was filled with data from valid CRL.

    Tried that with the following snapshot:

    2.0-BETA4 (i386)
    built on Sun Nov 14 03:54:29 EST 2010

  • Rebel Alliance Developer Netgate

    That should be working on the next snapshot, I just checked in a fix.

  • Hi Jimp,

    In case you were asking me, yes I had a <crl>tag and I removed it after testing together with the certificate tags under the <system>tag (which didn't work btw as pfsense complained about syntax errors as soon as I removed the <crt>tags from <system>and tried to restore the edited config).

    Thanks for the great work, I'm eager to try your new code but can't test it at the moment since I'm having this problem with newer snapshots (DIOCADDRULE device busy et.c).</system></crt></system></crl>

  • Ok, just tested it with newer build - CRL imported fine. Tried exporting CRL - 0-byte empty file was exported. The same result when trying to export pfSense-generated CRL.

    2.0-BETA4 (i386)
    built on Mon Nov 15 16:00:39 EST 2010

  • Rebel Alliance Developer Netgate

    Does your pfSense-generated CRL have any revoked certificates?

    The imported one should have exported OK, but a pfSense generated CRL must have at least one revoked certificate before it exports OK. I guess the code still needs a few safety checks for that kind of thing.

    I'll have a look sometime today.

  • Rebel Alliance Developer Netgate

    CRL importing was still broken - should be fixed in newer snapshots.

    I also disabled the download button for empty CRLs.

  • jimp: Yes, I had revoked certificates in my imported CRL file.
    I may confirm that CRL importing/exporting is working fine with the Sun Nov 21 02:37:38 EST 2010 build.


Log in to reply