pfSense

While investigating #9889, I found that OpenVPN recently introduced a new style of specifying CA and CRLs in a single directive, capath:

       --capath dir
              Directory containing trusted certificates (CAs and CRLs).  Not
              available with mbed TLS.

              CAs in the capath directory are expected to be named <hash>.<n>.
              CRLs are expected to be named <hash>.r<n>. See the -CApath
              option of openssl verify , and the -hash option of openssl x509
              and openssl crl for more information.

              Similarly to the --crl-verify option CRLs are not mandatory -
              OpenVPN will log the usual warning in the logs if the relevant
              CRL is missing, but the connection will be allowed.

This is the same format supported natively in OpenSSL with its -CAPath option, and shares its behavior. There is already some code in source:src/etc/inc/certs.inc in ca_setup_trust_store() which generates CA files in this format, which could be generalized and extended to support CRLs.

We should test and if it works sufficiently, convert OpenVPN to use this new syntax which is a more reliable way to structure the CA for use by OpenVPN/OpenSSL.

The main question seems to be whether or not revoking a certificate also requires the server to be reloaded or not. With crl-verify, the file is re-read for each client reconnect.