This section is a part of "Certificate Authorities and -Keys". Here, another CA authority can be uploaded, the CRL gives a view over the certificates which where revoked and a Diffie-Hellman parameter can be uploaded or optionally be generated.
Upload CA certificate
To upload a CA instance click Choose File
The file uses the PEM format. Enter the "CA-name" without special characters or numbers. The upload is done by clicking Upload CA certificate.
Certificate Revocation List
The button "Show certificate revocation list" (also known as CRL)
can deliver technical informations, but lists primarily all certificates which where revoked.
If no certificates are revoked, a simple
No Revoked Certificates. is lined out in this list.
In case there where some certificates suspended, some similar entries like e.g. these
Revoked Certificates:
Serial Number: 02
Revocation Date: Jun 17 08:41:25 2014 GMT
should be outlined.
Since IPFire doesn't provide at this time a possibility to revoke certificates over the web interface, the console needs to be used.
If you are interested in that, you can follow the short description now:
- The appropriate key (in {Clientname}cert.pem format) of the certificate which should be revoked (in this example named "RevokedZertTest") can be found under/var/ipfire/ovpn/certs. Now an OpenSSL command will be used to revoke it:
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -revoke /var/ipfire/ovpn/certs/RevokedZertTestcert.pem
- Another important file should be named in this context. The index.txt (findable under/var/ipfire/ovpn/certs) which is the certificate database and leads all entries for every certificate under different criteria, index.txt lists now all suspended certificates with an "R" (Revoked), the other ones got an "V" means Valid and "E" means Expired.
cat /var/ipfire/ovpn/certs/index.txt
V 47520513073408Z 01 unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungA/CN=beispiel.dyndns.org
R 140618083718Z 140617084125Z 02 unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungB/CN=RevokedZertTest
- After this step the CRL should be renewed with this command.
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem
Since version 186 the location of ovpn.conf changed, so you need to execute the following command:
openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem
From now on the chosen client are suspended.
Diffie-Hellman-Parameter
Since Core Update 172 the Diffie-Hellman parameter has been fixed to ensure a secure parameter length is chosen and provided in the correct standardised format.
Core Update 172 Release
Remove X509
At the bottom of the web interface the possibility to delete the whole certificate authority but also all keys and clients and client related data can be found.
The button leads you to this site
if you confirm it by pressing the "RemoveX509" button, all connections will be deleted, the whole certificate authority too, the certificate database (index.txt and serial) will also be reseted and starts closely from zero. It's almost like you start from the beginning, only the server configuration and the configured "static IP address pools" will be left untouched.