Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabling some certificates

    OpenVPN
    3
    6
    6.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tunge2
      last edited by

      Hello,

      Is it possible to disable some client certificates in PFsense? Example: what if a college is leaving the company and I want to disable her openvpn dial-in account on PFsense?? The big question is: how can I disable his/her openvpn client certificate in PFsense?

      http://openvpn.net/howto.html (could nog find it in the howto)

      Keep up the good work!!!!!

      1 Reply Last reply Reply Quote 0
      • T
        tunge2
        last edited by

        Is this possible with PFsense?

        Revoking Certificates
        Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.

        Typical reasons for wanting to revoke a certificate include:

        The private key associated with the certificate is compromised or stolen.
        The user of an encrypted private key forgets the password on the key.
        You want to terminate a VPN user's access.
        Example
        As an example, we will revoke the client2 certificate, which we generated above in the "key generation" section of the HOWTO.

        First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation" section above. On Linux/BSD/Unix:

        . ./vars
        ./revoke-full client2
        On Windows:

        vars
        revoke-full client2

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          you can insert on the OpenVPN config page a certificate revocation list (CRL) in PEM format.

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • T
            tunge2
            last edited by

            where can i find this option CRL (certificate revocation list) ??? ??? ???

            Check this to block (disable) this client, based on its common name. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              quote from readme.txt:

              To revoke a TLS certificate and generate a CRL file:
              1. vars
              2. revoke-full <machine-name>3. verify last line of output confirms revokation
              4. copy crl.pem to server directory and ensure config file uses "crl-verify <crl filename="">"</crl></machine-name>

              after revoking your compromised client, in your "keys" directory (or wherever your generated key appear) will be a new file called "crl.pem"
              open it and copy the content of it into this field:

              CRL.jpg
              CRL.jpg_thumb

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • S
                Sharaz
                last edited by

                ive been working on getting a CRL generated, but each time i do, i get errors.

                (hesitant to post all my output, as it has lots of information pertaining to one of my clients).

                has anyone else sucessfully revoked a cert, and if so, how did you do it?

                Jonathan

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.