Wiki

User Tools

Site Tools

Trace:
pfsense:certificates:revoke_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:certificates:revoke_certificate [2020/07/15 09:30] – external edit 127.0.0.1pfsense:certificates:revoke_certificate [2021/02/19 10:08] (current) – [Checking the logs] peter
Line 13: Line 13:
 </WRAP> </WRAP>
  
 +----
  
 +===== Create new Revocation List =====
  
 +Navigate to **System -> Cert Manager**.
 +
 +Select **Certificate Revocation**.
 +
 +  * Click **Add or Import CRL**.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation.png?800|}}
 +
 +----
 +
 +In **Create new Revocation List**:
 +
 +  * Method:  **Create an Internal Certificate Revocation List.**.
 +  * Descriptive name:  **ShareWiz OpenVPN - Revocation List**.
 +  * Certificate Authority:  **ShareWiz OpenVPN - CA**.   Select here a CA that is already created.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_create_new_revocation_list.png?800|}}
 +
 +In **Internal Certificate Revocation List**:
 +
 +  * Lifetime (Days):  **3650**.
 +  * Serial:  **0**.  Default.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_internal_certificate_revocation_list.png?800|}}
 +
 +  * Click **Save**.
 +
 +----
 +
 +==== Revocation List is shown as created ====
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation2.png?800|}}
 +
 +----
 +
 +===== Add a user certificate to the Revocation List =====
 +
 +Navigate to ** System -> Cert.Manager -> Certificate Revocation**.
 +
 +  * Click the Pencil Icon to Edit CRL.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation2_-_edit.png?800|}}
 +
 +shows:
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_edit_-_revoke_cert.png?800|}}
 +
 +----
 +
 +This returns to the main Certificate Revocation page with one certificate showing as on the Revocation list.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation3.png?800|}}
 +
 +----
 +
 +===== Check the user certificate is revoked =====
 +
 +Navigate to ** System -> Cert.Manager -> Certificate Revocation**.
 +
 +  * Click the Pencil Icon to Edit CRL.
 +
 +shows:
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_edit_-_with_currently_revoked_certs.png?800|}}
 +
 +<WRAP info>
 +**NOTE:**  This shows the User cert is revoked.
 +</WRAP>
 +
 +----
 +
 +Navigate to **System -> Cert Manager -> Certificates**.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificates_-_revoked_user.png?800|}}
 +
 +<WRAP info>
 +**NOTE:**  This shows the User cert is revoked.
 +</WRAP>
 +
 +
 +<WRAP alert>
 +**ALERT:**  Even though the certificate is showing as Revoked, this will __NOT__ disable the user from accessing the VPN!!!
 +
 +Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!
 +
 +The Revocation Lists has to be enabled and configured.  See next steps. 
 +
 +</WRAP>
 +
 +
 +----
 +
 +===== Add the Revocation list to the VPN Server =====
 +
 +Navigate to **VPN -> OpenVPN -> Servers**.
 +
 +  * Click the Pencil Icon to edit.
 +
 +{{:pfsense:certificates:pfsense_-_vpn_-_openvpn_-_servers_-_edit.png?800|}}
 +
 +----
 +
 +In **Cryptographic Settings**:
 +
 +  * Peer Certificate Revocation list:  **Select the Revocation list to use**.
 +
 +{{:pfsense:certificates:pfsense_-_vpn_-_openvpn_-_servers_-_edit_-_cryptographic_settings_-_peer_certificate_revocation_list.png?800|}}
 +
 +  * Click **Save**.
 +
 +----
 +
 +===== Test =====
 +
 +Try to connect using the VPN client.
 +
 +This should fails.
 +
 +==== Checking the logs ====
 +
 +Navigate to **Status -> System Logs -> OpenVPN**.
 +
 +<code>
 +...
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS_ERROR: BIO read tls_read_plaintext error
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS Error: TLS object -> incoming plaintext read error
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS Error: TLS handshake failed
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS_ERROR: BIO read tls_read_plaintext error
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS Error: TLS object -> incoming plaintext read error
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS Error: TLS handshake failed 
 +...
 +</code>
 +
 +<WRAP info>
 +**NOTE:** The log shows the certificate verification failed due to certificate revoked
 +</WRAP>
 +
 +
 +----
 +
 +<WRAP alert>
 +**ALERT:**  Deleting the user and certificate from the pFSense will __NOT__ disable them from accessing the VPN.
 +
 +Deleting certificates will not disable VPN connectivity.
 +
 +The Revocation Lists has to be enabled and configured.  
 +
 +Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!
 +
 +</WRAP>
  
pfsense/certificates/revoke_certificate.1594805433.txt.gz · Last modified: 2020/07/15 09:30 by 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki