Certificate Revocation List (CRL) missing from Certificate Manager
There is no place in the 2.0 GUI to handle certificate revocation. The best fit seems to be in the Certificate Manager on the Certificates tab, perhaps a button between the download options and the delete choice that will pull up a page where you can edit a certificate's CRL.
Will also need some backend code on at least OpenVPN to detect the presence of the CRL and use as needed.
Add support for deleting a cert from a CRL (unrevoke). As of this point basic CRL functionality does work: Revoke a cert and it cannot connect. Remove it from the CRL and it can. (Have to edit/save OpenVPN server instance to update/refresh CRL though). Ticket #555
Add ability to select reason codes for revocation. Reformat CRL edit screen a bit. Ticket #555
#2 Updated by Jim Pingle over 9 years ago
- % Done changed from 0 to 60
It's still a work in progress, but at the moment you can at least import an external CRL and assign it to an openvpn instance. The backend functions are there to manage user certificate revocation but it still needs some GUI work to make it happen.
#5 Updated by Jim Pingle over 9 years ago
- Status changed from New to Feedback
- % Done changed from 60 to 100
This should be feature-complete as far as I can tell, unless anyone has any more ideas about how it should be changed.
You can revoke a cert, and the client can't reconnect, then remove it from the CRL and they can connect again.
Right now the only place a CRL can be used is from the OpenVPN server page. If there are any other areas where it might be used, let me know. I don't see any way to use it in IPsec, and I'm not sure if anywhere else in the system would even be capable of it.
The next new snapshot dated after this post should contain all of the code needed to work with CRLs.