pfSense

Looks pretty good. CA in use detection works (tested with OpenVPN server, IPsec and LDAP), plus can no longer be deleted. Tried deleting one of the CAs that not "in use", certificates remained there.

One thing you seem to have missed is checking for "CA in use" case for the WebGUI.

That would require some more work to detect if it's the GUI cert's issuer, and the GUI cert could be self-signed, since there is not a separate field to pick the CA for the GUI cert. There were a couple similar cases like that which could use some more thought but felt out of scope here for the moment.

Jim Pingle wrote:

That would require some more work to detect if it's the GUI cert's issuer.

Hmmm well, that already appears to be working (on the "Certificates" tab anyway, just not for the CAs). Regardless, much better than before. Thanks.

The cert case is much simpler since there is a field for that directly. All the code has to check for is that the cert's reference ID is used directly. The other fields that are checked for CA are where it can be chosen specifically (OpenVPN server/client, LDAP auth server peer CA entry, IPsec P1 peer CA entry) where all it has to do is check the CA reference ID in the same way.

The trickier cases are when the CA is assumed or calculated based on the selected certificate. I could see intermediates falling into the same trap. The necessary logic gets rather complicated fast in that area, so in the interest of fixing the more dangerous issue I hit the low-hanging fruit for the time being. :-)