Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate is "locked" by IPsec even in PSK mode

    2.0-RC Snapshot Feedback and Problems - RETIRED
    2
    4
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dszp
      last edited by

      I had a certificate in the Cert Manager that I couldn't delete because it was in use by IPsec (thankfully it said what was using it!). However, my IPsec configuration only uses PSK (Mutual PSK + Xauth and Mobile IPsec), though I may have saved it at some point in the past with Mutual RSA + Xauth which uses certificates, but currently it was set to PSK. However, it was still preventing the certificate from being deleted as "in-use," I had to switch the IPsec profile to Musual RSA + Xauth, select a different certificate, save, and then I could delete that certificate in Cert Manager, and change the IPsec profile back to PSK.

      Ironically, it didn't save my pre-shared key (I copied it first so I was OK) when switching back to PSK mode, it just saves the cert config when it's not "current." I kind of like the "save previous setting" thing, but would like a way to easily delete the certificate that's not "active" in an IPsec tunnel's config without the workaround…mainly because it could be confusing to an end-user, or time-consuming if there were many PSK-type IPsec tunnels and you had multiple IPsec tunnels with the "hidden saved" cert to change & remove. My workaround worked fine for me, I can just see it being more of a pain or harder to figure out for the average user or heavy IPsec user.

      David Szpunar

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Yeah I think that form field is hidden but not disabled when it's inactive. The field probably just needs to be cleared before it's saved for a PSK tunnel.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Should be OK now:
          https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/a2eec62a65e912b7d0bdbb59a82f63f59137818d

          Edit and save your IPsec phase 1 entries and the ca/cert references will be removed.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • D
            dszp
            last edited by

            Nope, re-saved Mobile IPsec phase 1 and site-to-site phase 1 both, one is PSK+Xauth and one is PSK, no certs for IPsec in use (and Applied changes). Certificate still shows up in Cert Manager as in use by IPsec and unable to delete. I'm going to use workaround to remove as I need it removed to finish a reconfiguration of certs now.

            David Szpunar

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.