How to revocate user certificate on pFSense (OpenVPN)

You have pFSense OpenVPN configured with local CA and user certificates, and now – somebody is leaving the company, or certificate is compromised, what should you do? Simply deleting user account or certificate is not a good practice, and it probably won`t work.

 

We need to setup certificate revocation.

 

I have two users

Zeljkomedic and zeljkomedicNEW

We will be revoking certificate for user: zeljkomedic and test it.

zeljkomedicNEW is the new user that will supersede user zeljkomedic

 

I have the LAB in place and you can check my VPN related articles here:

 

Open VPN Setup: https://www.informaticar.net/how-to-setup-openvpn-on-pfsense/

 

First step – Enable Certificate Revocation

 

Login to your pFSense webConfigurator

 

System | Cert.Manager

 

Certificate Revocation |+ Add or Import CRL

Create new Revocation List | Method: Create an Internal Certificate Revocation List | Descriptive name: enter something that you can recognize | Certificate Authority: CA that you already created on that pFSense installation

 

Internal Certificate Revocation List | Lifetime (Days): Enter or leave default value | Serial: leave default | Save

 

We can see results immediately – BWRevocationList is created

 

Now, let’s add a user certificate to the list

 

We are still in System | Cert.Manager | Certificate Revocation

Select Edit CRL

We still don`t have any revoked certs, but we will select one under |Choose a Certificate to Revoke |

Under Certificate I`ll select ZeljkoMedic |Reason: select what you like, I`ll select Cessation of Operation | Add

 

After we clicked on Add certificate is added and we are back on the main page of Certificate Revocation with one certificate on BWRevocationList

Click again on Edit CRL

 

There it is – user certificate ZeljkoMedic is revoked

 

If we go to the System | Cert.Manager | Certificates we will se that User Certificate ZeljkoMedic is revoked

 

Looks easy and quick but we are not done yet

 

Next step is adding Revocation list to our VPN Server

 

VPN | OpenVPN | Servers | Edit

 

Cryptographic Settings | Peer Certificate Revocation list |Select your Revocation list – in my case it is BWRevocationList |scroll to the bottom of the page and Save

 

Next step is to try connect VPN client that uses user certificate zeljkomedic

 

No luck

 

That is a success – revoked certificate is no longer able to connect ot the pFSense OpenVPN

 

Very important information:

In case you delete certificate from revocation list (and certificate is still in certificate database) user will again be able to connect.

!!!Deleting user and certificate from the pFSense will not disable him from accessing VPN – you have to enable and configure revocation list – deleting certificates will not disable VPN connectivity.

 

Conclusion:

 

Revocation list is must have in pFSense if you use certificates, deleting certificates or users won`t help you – only revocation list will.

 

pFSense article series:

 

How to install pFSense on Hyper-V – https://www.informaticar.net/how-to-install-pfsense-on-hyper-v/

How to configure pFSense – https://www.informaticar.net/how-to-configure-pfsense/

How to define firewall rules on pFSense – https://www.informaticar.net/how-to-define-firewall-rules-on-pfsense/

How to create port forwarding on pFSense – https://www.informaticar.net/create-port-forwarding-on-pfsense/

How to setup OpenVPN on pFSense – https://www.informaticar.net/how-to-setup-openvpn-on-pfsense/

How to setup OpenVPN on client (pFSense) – https://www.informaticar.net/how-to-setup-openvpn-pfsense-version-on-client-pc/

OpenVPN on pFSense: Enable access to the LAN resources – https://www.informaticar.net/openvpn-on-pfsense-enable-access-to-the-lan-resources/

How to revocate user certificate on pFSense – https://www.informaticar.net/how-to-revocate-user-certificate-on-pfsense-openvpn/

How to import PFX certificate to pFSense – https://www.informaticar.net/how-to-import-pfx-certificate-to-pfsense/

 

 

 

Disclaimer