Bug #555
closed
Certificate Revocation List (CRL) missing from Certificate Manager
Added by Jim Pingle over 14 years ago.
Updated almost 14 years ago.
Description
There is no place in the 2.0 GUI to handle certificate revocation. The best fit seems to be in the Certificate Manager on the Certificates tab, perhaps a button between the download options and the delete choice that will pull up a page where you can edit a certificate's CRL.
Will also need some backend code on at least OpenVPN to detect the presence of the CRL and use as needed.
- Assignee set to Jim Pingle
- % Done changed from 0 to 60
It's still a work in progress, but at the moment you can at least import an external CRL and assign it to an openvpn instance. The backend functions are there to manage user certificate revocation but it still needs some GUI work to make it happen.
Also, as a note to myself: It still needs upgrade code to handle existing CRLs
I've made some more CRL commits today. Once the new snapshot is up, it should (in theory) be capable of revoking a cert via the CRL tab. The CRL patches to OpenSSL were lost (I added them back in) so it needs more testing once the new build is complete.
- Status changed from New to Feedback
- % Done changed from 60 to 100
This should be feature-complete as far as I can tell, unless anyone has any more ideas about how it should be changed.
You can revoke a cert, and the client can't reconnect, then remove it from the CRL and they can connect again.
Right now the only place a CRL can be used is from the OpenVPN server page. If there are any other areas where it might be used, let me know. I don't see any way to use it in IPsec, and I'm not sure if anywhere else in the system would even be capable of it.
The next new snapshot dated after this post should contain all of the code needed to work with CRLs.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by