Project

General

Profile

Bug #555

Certificate Revocation List (CRL) missing from Certificate Manager

Added by Jim Pingle about 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
04/29/2010
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

There is no place in the 2.0 GUI to handle certificate revocation. The best fit seems to be in the Certificate Manager on the Certificates tab, perhaps a button between the download options and the delete choice that will pull up a page where you can edit a certificate's CRL.

Will also need some backend code on at least OpenVPN to detect the presence of the CRL and use as needed.

Associated revisions

Revision 47319bfb (diff)
Added by Jim Pingle over 8 years ago

Add upgrade code for importing CRLs. Ticket #555

Revision ad08687b (diff)
Added by Jim Pingle over 8 years ago

Add support for deleting a cert from a CRL (unrevoke). As of this point basic CRL functionality does work: Revoke a cert and it cannot connect. Remove it from the CRL and it can. (Have to edit/save OpenVPN server instance to update/refresh CRL though). Ticket #555

Revision 8e022a76 (diff)
Added by Jim Pingle over 8 years ago

Refresh OpenVPN CRL files when a CRL has a cert added/removed. Ticket #555

Revision fc54f29b (diff)
Added by Jim Pingle over 8 years ago

Add ability to select reason codes for revocation. Reformat CRL edit screen a bit. Ticket #555

Revision 62b262e4 (diff)
Added by Jim Pingle over 8 years ago

Remove WIP note. This should resolve #555.

History

#1 Updated by Jim Pingle over 8 years ago

  • Assignee set to Jim Pingle

#2 Updated by Jim Pingle over 8 years ago

  • % Done changed from 0 to 60

It's still a work in progress, but at the moment you can at least import an external CRL and assign it to an openvpn instance. The backend functions are there to manage user certificate revocation but it still needs some GUI work to make it happen.

#3 Updated by Jim Pingle over 8 years ago

Also, as a note to myself: It still needs upgrade code to handle existing CRLs

#4 Updated by Jim Pingle over 8 years ago

I've made some more CRL commits today. Once the new snapshot is up, it should (in theory) be capable of revoking a cert via the CRL tab. The CRL patches to OpenSSL were lost (I added them back in) so it needs more testing once the new build is complete.

#5 Updated by Jim Pingle over 8 years ago

  • Status changed from New to Feedback
  • % Done changed from 60 to 100

This should be feature-complete as far as I can tell, unless anyone has any more ideas about how it should be changed.

You can revoke a cert, and the client can't reconnect, then remove it from the CRL and they can connect again.

Right now the only place a CRL can be used is from the OpenVPN server page. If there are any other areas where it might be used, let me know. I don't see any way to use it in IPsec, and I'm not sure if anywhere else in the system would even be capable of it.

The next new snapshot dated after this post should contain all of the code needed to work with CRLs.

#7 Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF