Project

General

Profile

Actions
Copy link

Bug #555

closed

Certificate Revocation List (CRL) missing from Certificate Manager

Added by Jim Pingle almost 14 years ago. Updated over 13 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Certificates
Target version:
2.0
Start date:
04/29/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

There is no place in the 2.0 GUI to handle certificate revocation. The best fit seems to be in the Certificate Manager on the Certificates tab, perhaps a button between the download options and the delete choice that will pull up a page where you can edit a certificate's CRL.

Will also need some backend code on at least OpenVPN to detect the presence of the CRL and use as needed.

Actions
Copy link
 #1

Updated by Jim Pingle over 13 years ago

  • Assignee set to Jim Pingle
Actions
Copy link
 #2

Updated by Jim Pingle over 13 years ago

  • % Done changed from 0 to 60

It's still a work in progress, but at the moment you can at least import an external CRL and assign it to an openvpn instance. The backend functions are there to manage user certificate revocation but it still needs some GUI work to make it happen.

Actions
Copy link
 #3

Updated by Jim Pingle over 13 years ago

Also, as a note to myself: It still needs upgrade code to handle existing CRLs

Actions
Copy link
 #4

Updated by Jim Pingle over 13 years ago

I've made some more CRL commits today. Once the new snapshot is up, it should (in theory) be capable of revoking a cert via the CRL tab. The CRL patches to OpenSSL were lost (I added them back in) so it needs more testing once the new build is complete.

Actions
Copy link
 #5

Updated by Jim Pingle over 13 years ago

  • Status changed from New to Feedback
  • % Done changed from 60 to 100

This should be feature-complete as far as I can tell, unless anyone has any more ideas about how it should be changed.

You can revoke a cert, and the client can't reconnect, then remove it from the CRL and they can connect again.

Right now the only place a CRL can be used is from the OpenVPN server page. If there are any other areas where it might be used, let me know. I don't see any way to use it in IPsec, and I'm not sure if anywhere else in the system would even be capable of it.

The next new snapshot dated after this post should contain all of the code needed to work with CRLs.

Actions
Copy link
 #6

Updated by Jim Pingle over 13 years ago

Actions
Copy link
 #7

Updated by Chris Buechler over 13 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF