Table of Contents
PFSense - Certificates - Revoke Certificate
- Create a new revocation list from System → CertManager → CertificateRevocation.
- Add the certificates that you do not want to be active any more.
- Assign the new revocation list to the vpn server in my case VPN → OpenVPN → Servers.
You can easily choose your revocation list from the Peer Certificate Revocation list.
NOTE: Do not need to restart or refresh the change is immediately.
Create new Revocation List
Navigate to System → Cert Manager.
Select Certificate Revocation.
- Click Add or Import CRL.
In Create new Revocation List:
- Method: Create an Internal Certificate Revocation List..
- Descriptive name: ShareWiz OpenVPN - Revocation List.
- Certificate Authority: ShareWiz OpenVPN - CA. Select here a CA that is already created.
In Internal Certificate Revocation List:
- Lifetime (Days): 3650.
- Serial: 0. Default.
- Click Save.
Revocation List is shown as created
Add a user certificate to the Revocation List
Navigate to System → Cert.Manager → Certificate Revocation.
- Click the Pencil Icon to Edit CRL.
shows:
This returns to the main Certificate Revocation page with one certificate showing as on the Revocation list.
Check the user certificate is revoked
Navigate to System → Cert.Manager → Certificate Revocation.
- Click the Pencil Icon to Edit CRL.
shows:
NOTE: This shows the User cert is revoked.
Navigate to System → Cert Manager → Certificates.
NOTE: This shows the User cert is revoked.
ALERT: Even though the certificate is showing as Revoked, this will NOT disable the user from accessing the VPN!!!
Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!
The Revocation Lists has to be enabled and configured. See next steps.
Add the Revocation list to the VPN Server
Navigate to VPN → OpenVPN → Servers.
- Click the Pencil Icon to edit.
In Cryptographic Settings:
- Peer Certificate Revocation list: Select the Revocation list to use.
- Click Save.
Test
Try to connect using the VPN client.
This should fails.
Checking the logs
Navigate to Status → System Logs → OpenVPN.
... Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS_ERROR: BIO read tls_read_plaintext error Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS Error: TLS object -> incoming plaintext read error Feb 19 09:46:24 openvpn 2000 192.168.1.102:48212 TLS Error: TLS handshake failed Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 VERIFY ERROR: depth=0, error=certificate revoked: C=JE, L=St. Helier, O=ShareWiz, CN=peter Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS_ERROR: BIO read tls_read_plaintext error Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS Error: TLS object -> incoming plaintext read error Feb 19 09:47:01 openvpn 2000 192.168.1.102:52702 TLS Error: TLS handshake failed ...
NOTE: The log shows the certificate verification failed due to certificate revoked
ALERT: Deleting the user and certificate from the pFSense will NOT disable them from accessing the VPN.
Deleting certificates will not disable VPN connectivity.
The Revocation Lists has to be enabled and configured.
Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!