Wiki

User Tools

Site Tools

Trace:
pfsense:certificates:revoke_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:certificates:revoke_certificate [2021/02/18 17:56] peterpfsense:certificates:revoke_certificate [2021/02/19 10:08] (current) – [Checking the logs] peter
Line 88: Line 88:
 ---- ----
  
 +Navigate to **System -> Cert Manager -> Certificates**.
 +
 +{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificates_-_revoked_user.png?800|}}
 +
 +<WRAP info>
 +**NOTE:**  This shows the User cert is revoked.
 +</WRAP>
 +
 +
 +<WRAP alert>
 +**ALERT:**  Even though the certificate is showing as Revoked, this will __NOT__ disable the user from accessing the VPN!!!
 +
 +Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!
 +
 +The Revocation Lists has to be enabled and configured.  See next steps. 
 +
 +</WRAP>
 +
 +
 +----
 +
 +===== Add the Revocation list to the VPN Server =====
 +
 +Navigate to **VPN -> OpenVPN -> Servers**.
 +
 +  * Click the Pencil Icon to edit.
 +
 +{{:pfsense:certificates:pfsense_-_vpn_-_openvpn_-_servers_-_edit.png?800|}}
 +
 +----
 +
 +In **Cryptographic Settings**:
 +
 +  * Peer Certificate Revocation list:  **Select the Revocation list to use**.
 +
 +{{:pfsense:certificates:pfsense_-_vpn_-_openvpn_-_servers_-_edit_-_cryptographic_settings_-_peer_certificate_revocation_list.png?800|}}
 +
 +  * Click **Save**.
 +
 +----
 +
 +===== Test =====
 +
 +Try to connect using the VPN client.
 +
 +This should fails.
 +
 +==== Checking the logs ====
 +
 +Navigate to **Status -> System Logs -> OpenVPN**.
 +
 +<code>
 +...
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS_ERROR: BIO read tls_read_plaintext error
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS Error: TLS object -> incoming plaintext read error
 +Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS Error: TLS handshake failed
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS_ERROR: BIO read tls_read_plaintext error
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS Error: TLS object -> incoming plaintext read error
 +Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS Error: TLS handshake failed 
 +...
 +</code>
 +
 +<WRAP info>
 +**NOTE:** The log shows the certificate verification failed due to certificate revoked
 +</WRAP>
 +
 +
 +----
 +
 +<WRAP alert>
 +**ALERT:**  Deleting the user and certificate from the pFSense will __NOT__ disable them from accessing the VPN.
 +
 +Deleting certificates will not disable VPN connectivity.
 +
 +The Revocation Lists has to be enabled and configured.  
 +
 +Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!
 +
 +</WRAP>
  
pfsense/certificates/revoke_certificate.1613671004.txt.gz · Last modified: 2021/02/18 17:56 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki