Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System: Certificate Revocation List Manager => Export missing?

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Reiner030
      last edited by

      Hi,

      I tested to create a possible certificate structure with intermediate ca certificates in
      departments but same problem exists if multiple firewalls use same ca for certificates.

      There is actual no function (need?) for exporting crls or made them accessible by URL ?

      Normally this could be nice setup:

      • on 1st / main firewall the CA is created/maintained and
      • on all other maintained firewalls  the CA pub key can be imported.

      After this initial setup it could be possible to

      • create clients on main firewall and
      • import client certs to needed firewalls only / or "all".
          Even nicer would be also an automatic spreaded setup.

      The more important task for activate users is to deactivate them sometimes later.
      As it seems it can be done actually only manually and therefore it would be not so
      easy to have the overview where the client was added and where not.

      • The easy thing for it is normally the CRL which is public available an can be requested
          everytime.

      • If not by URL than it could also be ok if there could be a background tasks setup for
          export/import them regulary to all needed firewalls.
          But as I see right there is actual no process for this possible ?

      • and there is also no manual export of CRL possible ? :(  (only import of it)

      Bests

      Reiner

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There is an export button for CRLs. At least on 2.1 there is.

        crlexp.png
        crlexp.png_thumb

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          Reiner030
          last edited by

          @jimp:

          There is an export button for CRLs. At least on 2.1 there is.

          mmh, but the button appears only when one or more certs are revoked ?

          Thats not so good because for OpenVPN server setup the CRL must be referenced  … so I can do it only on the main but not on external firewalls...

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Ah, that does make sense. We made accommodations for "empty" CRLs in OpenVPN a while back but I didn't go back and allow exporting an empty CRL.

            Fixed now, https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • R
              Reiner030
              last edited by

              @jimp:

              Ah, that does make sense. We made accommodations for "empty" CRLs in OpenVPN a while back but I didn't go back and allow exporting an empty CRL.

              Fixed now, https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e

              thx… now it works fine for 2.1...

              Here the same patch for 2.0.3:

              --- /usr/local/www/system_crlmanager.php.orig	2013-04-12 16:31:46.000000000 +0200
              +++ /usr/local/www/system_crlmanager.php	2013-11-29 18:50:46.000000000 +0100
              @@ -580,11 +580,9 @@
              
              -							
               							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_down.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=exp&id=<?=$tmpcrl['refid'];?>) 
              -							
              
               							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_e.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>) 
              ``` [but there is one problem: the exported CRL has no content.
              I would try to also create a patch for this problem  but didn't find the right codesegment which should have a problem.](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>)
              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                It's not the same patch. It's missing the most important part near the top that makes it not empty.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • R
                  Reiner030
                  last edited by

                  ah yes… I have later forgot/overseen the 1st change which calls the update routine...

                  --- /usr/local/www/system_crlmanager.php.orig	2013-04-12 16:31:46.000000000 +0200
                  +++ /usr/local/www/system_crlmanager.php	2013-11-29 23:21:22.000000000 +0100
                  @@ -107,6 +107,7 @@
                   }
                  
                   if ($act == "exp") {
                  +	crl_update($thiscrl);
                   	$exp_name = urlencode("{$thiscrl['descr']}.crl");
                   	$exp_data = base64_decode($thiscrl['text']);
                   	$exp_size = strlen($exp_data);
                  @@ -580,11 +581,9 @@
                  
                  -							
                   							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_down.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=exp&id=<?=$tmpcrl['refid'];?>) 
                  -							
                  
                   							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_e.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>) 
                  
                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.