Project

General

Profile

Actions

Bug #3591

closed

Impossible to edit CRLs in 2.1.1

Added by Doktor Notor over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Certificates
Target version:
Start date:
04/09/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
All

Description

See https://forum.pfsense.org/index.php?topic=74935.msg408977#msg408977

Since lots of people will want/need to revoke their certs, this really should be fixed in 2.1.2

Actions #1

Updated by Jim Pingle over 7 years ago

A fix is coming but ideally you'd create a whole new CA and Cert structure if you believe yours has been compromised. Re-using the CA + Revoking certs should only be done if the CA's key had no chance of being compromised.

New CA + New certs is also faster than Revoking eleventy hundred certs plus regenerating them all. If you have to reissue all new clients anyway, there's little benefit to taking the revocation path.

Actions #2

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Jim Pingle over 7 years ago

Actions #4

Updated by Doktor Notor over 7 years ago

OK, fix works, thanks. It is indeed correct that starting with a completely new CA is best solution in this case, but I'd still like to keep track of the revoked certificates.

Actions #5

Updated by Chris Buechler over 7 years ago

  • Status changed from Feedback to Resolved
  • Target version set to 2.1.2
Actions

Also available in: Atom PDF