====== PFSense - Certificates - Revoke Certificate ======


  * Create a new revocation list from **System -> CertManager -> CertificateRevocation**.
  * Add the certificates that you do not want to be active any more.
  * Assign the new revocation list to the vpn server in my case **VPN -> OpenVPN -> Servers**.

You can easily choose your revocation list from the **Peer Certificate Revocation list**.


<WRAP info>
**NOTE**:  Do not need to restart or refresh the change is immediately.
</WRAP>

----

===== Create new Revocation List =====

Navigate to **System -> Cert Manager**.

Select **Certificate Revocation**.

  * Click **Add or Import CRL**.

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation.png?800|}}

----

In **Create new Revocation List**:

  * Method:  **Create an Internal Certificate Revocation List.**.
  * Descriptive name:  **ShareWiz OpenVPN - Revocation List**.
  * Certificate Authority:  **ShareWiz OpenVPN - CA**.   Select here a CA that is already created.

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_create_new_revocation_list.png?800|}}

In **Internal Certificate Revocation List**:

  * Lifetime (Days):  **3650**.
  * Serial:  **0**.  Default.

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_internal_certificate_revocation_list.png?800|}}

  * Click **Save**.

----

==== Revocation List is shown as created ====

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation2.png?800|}}

----

===== Add a user certificate to the Revocation List =====

Navigate to ** System -> Cert.Manager -> Certificate Revocation**.

  * Click the Pencil Icon to Edit CRL.

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation2_-_edit.png?800|}}

shows:

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_edit_-_revoke_cert.png?800|}}

----

This returns to the main Certificate Revocation page with one certificate showing as on the Revocation list.

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation3.png?800|}}

----

===== Check the user certificate is revoked =====

Navigate to ** System -> Cert.Manager -> Certificate Revocation**.

  * Click the Pencil Icon to Edit CRL.

shows:

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificate_revocation_-_edit_-_with_currently_revoked_certs.png?800|}}

<WRAP info>
**NOTE:**  This shows the User cert is revoked.
</WRAP>

----

Navigate to **System -> Cert Manager -> Certificates**.

{{:pfsense:certificates:pfsense_-_system_-_cert_manager_-_certificates_-_revoked_user.png?800|}}

<WRAP info>
**NOTE:**  This shows the User cert is revoked.
</WRAP>


<WRAP alert>
**ALERT:**  Even though the certificate is showing as Revoked, this will __NOT__ disable the user from accessing the VPN!!!

Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!

The Revocation Lists has to be enabled and configured.  See next steps. 

</WRAP>


----

===== Add the Revocation list to the VPN Server =====

Navigate to **VPN -> OpenVPN -> Servers**.

  * Click the Pencil Icon to edit.

{{:pfsense:certificates:pfsense_-_vpn_-_openvpn_-_servers_-_edit.png?800|}}

----

In **Cryptographic Settings**:

  * Peer Certificate Revocation list:  **Select the Revocation list to use**.

{{:pfsense:certificates:pfsense_-_vpn_-_openvpn_-_servers_-_edit_-_cryptographic_settings_-_peer_certificate_revocation_list.png?800|}}

  * Click **Save**.

----

===== Test =====

Try to connect using the VPN client.

This should fails.

==== Checking the logs ====

Navigate to **Status -> System Logs -> OpenVPN**.

<code>
...
Feb 19 09:46:24 	openvpn 	2000 	192.168.1.102:48212 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter
Feb 19 09:46:24 	openvpn 	2000 	192.168.1.102:48212 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 19 09:46:24 	openvpn 	2000 	192.168.1.102:48212 TLS_ERROR: BIO read tls_read_plaintext error
Feb 19 09:46:24 	openvpn 	2000 	192.168.1.102:48212 TLS Error: TLS object -> incoming plaintext read error
Feb 19 09:46:24 	openvpn 	2000 	192.168.1.102:48212 TLS Error: TLS handshake failed
Feb 19 09:47:01 	openvpn 	2000 	192.168.1.102:52702 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter
Feb 19 09:47:01 	openvpn 	2000 	192.168.1.102:52702 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 19 09:47:01 	openvpn 	2000 	192.168.1.102:52702 TLS_ERROR: BIO read tls_read_plaintext error
Feb 19 09:47:01 	openvpn 	2000 	192.168.1.102:52702 TLS Error: TLS object -> incoming plaintext read error
Feb 19 09:47:01 	openvpn 	2000 	192.168.1.102:52702 TLS Error: TLS handshake failed 
...
</code>

<WRAP info>
**NOTE:** The log shows the certificate verification failed due to certificate revoked
</WRAP>


----

<WRAP alert>
**ALERT:**  Deleting the user and certificate from the pFSense will __NOT__ disable them from accessing the VPN.

Deleting certificates will not disable VPN connectivity.

The Revocation Lists has to be enabled and configured.  

Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!

</WRAP>