System: Certificate Revocation List Manager => Export missing?



  • Hi,

    I tested to create a possible certificate structure with intermediate ca certificates in
    departments but same problem exists if multiple firewalls use same ca for certificates.

    There is actual no function (need?) for exporting crls or made them accessible by URL ?

    Normally this could be nice setup:

    • on 1st / main firewall the CA is created/maintained and
    • on all other maintained firewalls  the CA pub key can be imported.

    After this initial setup it could be possible to

    • create clients on main firewall and
    • import client certs to needed firewalls only / or "all".
        Even nicer would be also an automatic spreaded setup.

    The more important task for activate users is to deactivate them sometimes later.
    As it seems it can be done actually only manually and therefore it would be not so
    easy to have the overview where the client was added and where not.

    • The easy thing for it is normally the CRL which is public available an can be requested
        everytime.

    • If not by URL than it could also be ok if there could be a background tasks setup for
        export/import them regulary to all needed firewalls.
        But as I see right there is actual no process for this possible ?

    • and there is also no manual export of CRL possible ? :(  (only import of it)

    Bests

    Reiner


  • Rebel Alliance Developer Netgate

    There is an export button for CRLs. At least on 2.1 there is.




  • @jimp:

    There is an export button for CRLs. At least on 2.1 there is.

    mmh, but the button appears only when one or more certs are revoked ?

    Thats not so good because for OpenVPN server setup the CRL must be referenced  … so I can do it only on the main but not on external firewalls...


  • Rebel Alliance Developer Netgate

    Ah, that does make sense. We made accommodations for "empty" CRLs in OpenVPN a while back but I didn't go back and allow exporting an empty CRL.

    Fixed now, https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e



  • @jimp:

    Ah, that does make sense. We made accommodations for "empty" CRLs in OpenVPN a while back but I didn't go back and allow exporting an empty CRL.

    Fixed now, https://github.com/pfsense/pfsense/commit/48f1333bfd64b078016135ae089906d4e03deb0e

    thx… now it works fine for 2.1...

    Here the same patch for 2.0.3:

    --- /usr/local/www/system_crlmanager.php.orig	2013-04-12 16:31:46.000000000 +0200
    +++ /usr/local/www/system_crlmanager.php	2013-11-29 18:50:46.000000000 +0100
    @@ -580,11 +580,9 @@
    
    -							
     							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_down.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=exp&id=<?=$tmpcrl['refid'];?>) 
    -							
    
     							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_e.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>) 
    ``` [but there is one problem: the exported CRL has no content.
    I would try to also create a patch for this problem  but didn't find the right codesegment which should have a problem.](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>)

  • Rebel Alliance Developer Netgate

    It's not the same patch. It's missing the most important part near the top that makes it not empty.



  • ah yes… I have later forgot/overseen the 1st change which calls the update routine...

    --- /usr/local/www/system_crlmanager.php.orig	2013-04-12 16:31:46.000000000 +0200
    +++ /usr/local/www/system_crlmanager.php	2013-11-29 23:21:22.000000000 +0100
    @@ -107,6 +107,7 @@
     }
    
     if ($act == "exp") {
    +	crl_update($thiscrl);
     	$exp_name = urlencode("{$thiscrl['descr']}.crl");
     	$exp_data = base64_decode($thiscrl['text']);
     	$exp_size = strlen($exp_data);
    @@ -580,11 +581,9 @@
    
    -							
     							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_down.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=exp&id=<?=$tmpcrl['refid'];?>) 
    -							
    
     							 [![](/themes/<?= $g['theme'];?>/images/icons/icon_e.gif "<?=gettext(")" alt="" width="17" height="17" border="0" />](system_crlmanager.php?act=edit&id=<?=$tmpcrl['refid'];?>)