This is an old revision of the document!
Table of Contents
PFSense - Certificates - Revoke Certificate
- Create a new revocation list from System → CertManager → CertificateRevocation.
- Add the certificates that you do not want to be active any more.
- Assign the new revocation list to the vpn server in my case VPN → OpenVPN → Servers.
You can easily choose your revocation list from the Peer Certificate Revocation list.
NOTE: Do not need to restart or refresh the change is immediately.
Create new Revocation List
Navigate to System → Cert Manager.
Select Certificate Revocation.
- Click Add or Import CRL.
In Create new Revocation List:
- Method: Create an Internal Certificate Revocation List..
- Descriptive name: ShareWiz OpenVPN - Revocation List.
- Certificate Authority: ShareWiz OpenVPN - CA. Select here a CA that is already created.
In Internal Certificate Revocation List:
- Lifetime (Days): 3650.
- Serial: 0. Default.
- Click Save.
Revocation List is shown as created
Add a user certificate to the Revocation List
Navigate to System → Cert.Manager → Certificate Revocation.
- Click the Pencil Icon to Edit CRL.
shows:
This returns to the main Certificate Revocation page with one certificate showing as on the Revocation list.
Check the user certificate is revoked
Navigate to System → Cert.Manager → Certificate Revocation.
- Click the Pencil Icon to Edit CRL.
shows:
NOTE: This shows the User cert is revoked.
Navigate to System → Cert Manager → Certificates.
NOTE: This shows the User cert is revoked.
Add the Revocation list to the VPN Server
Navigate to VPN → OpenVPN → Servers.
- Click the Pencil Icon to edit.
In Cryptographic Settings:
- Peer Certificate Revocation list: Select the Revocation list to use.
- Click Save.
Test
Try to connect using the VPN client.
ALERT: Deleting the user and certificate from the pFSense will NOT disable them from accessing the VPN.
Deleting certificates will not disable VPN connectivity.
The Revocation Lists has to be enabled and configured.
Even if the certificate is deleted from the from revocation list, but the certificate is still in the certificate database, the user will still be able to connect!