Certificate Revocation List Management

Certificate Revocation Lists (CRLs) are a part of the X.509 system that publish lists of certificates that should no longer be trusted. These certificates may have been compromised or otherwise need to be invalidated. An application using a CA, such as OpenVPN may optionally use a CRL so it can verify connecting client certificates. A CRL is generated and signed against a CA using its private key, so in order to create or add certificates to a CRL in the GUI, the private key of the CA must be present. If the CA is managed externally and the private key for the CA is not on the firewall, a CRL may still be generated outside of the firewall and imported.

The traditional way to use a CRL is to only have one CRL per CA and only add invalid certificates to that CRL. In pfSense, however, multiple CRLs may be created for a single CA. In OpenVPN, different CRLs may be chosen for separate VPN instances. This could be used, for example, to prevent a specific certificate from connecting to one instance while allowing it to connect to another. For IPsec, all CRLs are consulted and there is no selection as currently exists with OpenVPN.

Certificate Revocation Lists are managed from System > Cert Manager, on the Certificate Revocation tab. From this screen CRL entries can be added, edited, exported, or deleted. The list will show all Certificate Authorities and an option to add a CRL. The screen also indicates whether the CRL is internal or external (imported), and it shows a count of how many certificates have been revoked on each CRL.

Note

CRLs generated using pfSense 2.2.4-RELEASE and later properly include the authorityKeyIdentifier attribute to allow proper functionality with strongSwan for use with IPsec.

Create a new Certificate Revocation List

To create a new CRL:

  • Navigate to System > Cert Manager, on the Certificate Revocation tab.
  • Find the row with the CA that the CRL will be created for.
  • Click fa-plus Add or Import CRL at the end of the row to create a new CRL.
  • Choose Create an Internal Certificate Revocation List for the Method.
  • Enter a Descriptive Name for the CRL, which is used to identify this CRL in lists around the GUI. It’s usually best to include a reference to the name of the CA and/or the purpose of the CRL.
  • Select the proper CA from the Certificate Authority drop-down menu.
  • Enter the number of days for which the CRL should be valid in the Lifetime box. The default value is 9999 days, or almost 27 and a half years.
  • Click Save

The browser will be return to the CRL list, and the new entry will be shown there.

Import an Existing Certificate Revocation List

To import a CRL from an external source:

  • Navigate to System > Cert Manager, on the Certificate Revocation tab

  • Find the row with the CA that the CRL will be imported for.

  • Click fa-plus Add or Import CRL at the end of the row to create a new CRL.

  • Choose Import an Existing Certificate Revocation List for the Method.

  • Enter a Descriptive Name for the CRL, which is used to identify this CRL in lists around the GUI. It’s usually best to include a reference to the name of the CA and/or the purpose of the CRL.

  • Select the proper CA from the Certificate Authority drop-down menu.

  • Enter the CRL data. This is typically in a file ending in .crl. It would be plain text data enclosed in a block such as:

    -----BEGIN X509 CRL-----
    [A bunch of random-looking base64-encoded data]
    -----END X509 CRL-----
    
  • Click Save to finish the import process.

If an error appears, follow the on-screen instructions to correct the problem and then try again. The most common error is not pasting in the right portion of the CRL data. Make sure to enter the entire block, including the beginning header and ending footer around the encoded data.

Export a Certificate Revocation List

From the list of CRLs at System > Cert Manager on the Certificate Revocation tab, a CRL may also be exported. To export the CRL, click the fa-download icon. The file will download with the descriptive name of the CRL as the file name, and the extension .crl.

Delete a Certificate Revocation List

  • Check areas that can use a CRL, such as OpenVPN.
  • Remove entries using the CRL, or choose another CRL instead.
  • Navigate to System > Cert Manager on the Certificate Revocation tab.
  • Locate the CRL to delete in the list
  • Click the fa-trash icon at the end of the row for the CRL.
  • Click OK on the confirmation dialog.

If an error appears, follow the on-screen instructions to correct the problem and then try again.

Revoke a Certificate

A CRL isn’t very useful unless it contains revoked certificates. A certificate is revoked by adding the certificate to a CRL:

  • Navigate to System > Cert Manager on the Certificate Revocation tab.
  • Locate the CRL to edit in the list
  • Click the fa-pencil icon at the end of the row for the CRL. A screen will be presented that lists any currently revoked certificates, and a control to add new ones.
  • Select the certificate from the Choose a Certificate to Revoke list.
  • Select a Reason from the drop-down list to indicate why the certificate is being revoked. This information doesn’t affect the validity of the certificate it is merely informational in nature. This option may be left at the default value.
  • Click Add and the certificate will be added to the CRL.

Certificates can be removed from the CRL using this screen as well:

  • Navigate to System > Cert Manager on the Certificate Revocation tab.
  • Locate the CRL to edit in the list
  • Click the fa-pencil icon at the end of the row for the CRL.
  • Find the certificate in the list and click the fa-trash icon to remove it from the CRL.
  • Click OK on the confirmation dialog.

After adding or removing a certificate, the CRL will be re-written if it is currently in use by any VPN instances so that the CRL changes will be immediately active.

Updating an Imported Certificate Revocation List

To update an imported CRL:

  • Navigate to System > Cert Manager on the Certificate Revocation tab.
  • Locate the CRL to edit in the list
  • Click the fa-pencil icon at the end of the row for the CRL.
  • Erase the pasted content in the CRL Data box and replace it with the contents of the new CRL
  • Click Save.

After updating the imported CRL, it will be re-written if it is currently in use by any VPN instances so that the CRL changes will be immediately active.