Disabling some certificates



  • Hello,

    Is it possible to disable some client certificates in PFsense? Example: what if a college is leaving the company and I want to disable her openvpn dial-in account on PFsense?? The big question is: how can I disable his/her openvpn client certificate in PFsense?

    http://openvpn.net/howto.html (could nog find it in the howto)

    Keep up the good work!!!!!



  • Is this possible with PFsense?

    Revoking Certificates
    Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.

    Typical reasons for wanting to revoke a certificate include:

    The private key associated with the certificate is compromised or stolen.
    The user of an encrypted private key forgets the password on the key.
    You want to terminate a VPN user's access.
    Example
    As an example, we will revoke the client2 certificate, which we generated above in the "key generation" section of the HOWTO.

    First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation" section above. On Linux/BSD/Unix:

    . ./vars
    ./revoke-full client2
    On Windows:

    vars
    revoke-full client2



  • you can insert on the OpenVPN config page a certificate revocation list (CRL) in PEM format.



  • where can i find this option CRL (certificate revocation list) ??? ??? ???

    Check this to block (disable) this client, based on its common name. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead.



  • quote from readme.txt:

    To revoke a TLS certificate and generate a CRL file:
    1. vars
    2. revoke-full <machine-name>3. verify last line of output confirms revokation
    4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename="">"</crl></machine-name>

    after revoking your compromised client, in your "keys" directory (or wherever your generated key appear) will be a new file called "crl.pem"
    open it and copy the content of it into this field:




  • ive been working on getting a CRL generated, but each time i do, i get errors.

    (hesitant to post all my output, as it has lots of information pertaining to one of my clients).

    has anyone else sucessfully revoked a cert, and if so, how did you do it?


Log in to reply