Certificate Revocation List Management

Certificate Revocation Lists (CRLs) are a part of the X.509 system that publish lists of certificates that must no longer be trusted. These certificates may have been compromised or otherwise need to be invalidated. An application using a CA, such as OpenVPN may optionally use a CRL so it can verify connecting client certificates. A CRL is generated and signed against a CA using its private key, so in order to create or add certificates to a CRL in the GUI, the private key of the CA must be present. If the CA is managed externally and the private key for the CA is not on the firewall, a CRL may still be generated outside of the firewall and imported.

The traditional way to use a CRL is to only have one CRL per CA and only add invalid certificates to that CRL. The GUI, however, supports multiple CRLs for a single CA. In OpenVPN, different CRLs may be chosen for separate VPN instances. This could be used, for example, to prevent a specific certificate from connecting to one instance while allowing it to connect to another. For IPsec, all CRLs are consulted and there is no selection as currently exists with OpenVPN.

Certificate Revocation Lists are managed from System > Certificates, on the Certificate Revocation tab.

From this screen CRL entries can be added, edited, exported, or deleted. The list shows all existing CRLs and an option to add a new CRL from a given CA. The screen also indicates whether the CRL is internal or external (imported), and it shows a count of how many certificates have been revoked on each CRL, and indicates if the CRL is in use.

Create a new Certificate Revocation List

To create a new CRL:

  • Navigate to System > Certificates, Certificate Revocation tab

  • Select a CA from the drop-down menu under the Create or Import a New Certificate Revocation List

  • Click fa-plus Add at the end of the row to create a new CRL

  • Set the Method to Create an Internal Certificate Revocation List

  • Enter a Descriptive Name for the CRL

    This is used to identify this CRL in lists around the GUI. It’s usually best to include a reference to the name of the CA and/or the purpose of the CRL.

  • Enter the Lifetime value as a number of days for which the CRL should be valid

    The default value is 730 days (2 years).

    Note

    In practice, this limit would almost never be reached as the CRL is regenerated any time the CRL is edited or when a service which utilizes a CRL is reconfigured.

    Note

    The system attempts to prevent using too large a value for the lifetime to ensure the date doesn’t overflow. On 32-bit platforms, the limit is before the UNIX time rollover in 2038. On other platforms, the limit is before UTCTime 2-digit dates roll over in 2050. See Redmine #13424 for details. Systems reporting an expired CRL can work around the error by making a new CRL with a lower lifetime or by applying a patch on that Redmine issue.

  • Click Save

The browser will be return to the CRL list, and the new entry will be shown there.

Import an Existing Certificate Revocation List

To import a CRL from an external source:

  • Navigate to System > Certificates, Certificate Revocation tab

  • Select a CA from the drop-down menu under the Create or Import a New Certificate Revocation List

  • Click fa-plus Add at the end of the row to create a new CRL

  • Set the Method to Import an Existing Certificate Revocation List

  • Enter a Descriptive Name for the CRL

    This is used to identify this CRL in lists around the GUI. It’s usually best to include a reference to the name of the CA and/or the purpose of the CRL.

  • Enter the CRL data

    This is typically in a file ending in .crl. It would be plain text data enclosed in a block such as:

    -----BEGIN X509 CRL-----
[A bunch of random-looking base64-encoded data]
-----END X509 CRL-----

  • Click Save to finish the import process.

If an error appears, follow the on-screen instructions to correct the problem and then try again. The most common error is not pasting in the right portion of the CRL data. Make sure to enter the entire block, including the beginning header and ending footer around the encoded data.

Warning

New entries cannot be added to imported CRLs. To update an imported CRL, see Updating an Imported Certificate Revocation List.

Export a Certificate Revocation List

  • Navigate to System > Certificates, Certificate Revocation tab

  • Locate the CRL to delete in the list

  • Click the fa-download icon

The file will download with the descriptive name of the CRL as the file name, and the extension .crl.

Delete a Certificate Revocation List

  • Check areas that can use a CRL, such as IPsec and OpenVPN

    Note

    In most cases, the areas using a CRL are noted in the In Use column of the CRL list. This does not necessarily include all areas, especially if the CRL is used by a package.

  • Remove entries using the CRL, or choose another CRL instead

  • Navigate to System > Certificates, Certificate Revocation tab

  • Locate the CRL to delete in the list

  • Click the fa-trash-can icon at the end of the row for the CRL

    Note

    This icon will only be present if the CRL is not in use.

  • Click OK on the confirmation dialog

If an error appears, follow the on-screen instructions to correct the problem and then try again.

Revoke a Certificate

A CRL isn’t useful unless it contains revoked certificates. A certificate is revoked by adding the certificate to a CRL, or by entering its serial number.

  • Navigate to System > Certificates, Certificate Revocation tab

  • Locate the CRL to edit in the list

  • Click the fa-pencil icon at the end of the row for the CRL

    The GUI lists any revoked certificates on the CRL, and a control to add new ones.

  • Select a Reason from the drop-down list to indicate why the certificate is being revoked

    This information doesn’t affect the validity of the certificate it is merely informational in nature. This option may be left at the default value.

  • To revoke by certificate, select the certificate(s) from the Revoke Certificates list

    Note

    Multiple certificates can be revoked at once by selecting all of them in the list.

  • To revoke by serial number, enter one or more certificate serial numbers separated by spaces in the Revoke by Serial field

  • Click fa-plus Add and the certificate(s) will be added to the CRL

Note

Certificates can be revoked by selection and by serial at the same time.

After adding a certificate, the CRL will be re-written if it is currently in use by any VPN instances so that the CRL changes will be immediately active.

Removing a Certificate from a CRL

Certificates can be removed from the CRL when editing a CRL:

  • Navigate to System > Certificates, Certificate Revocation tab

  • Locate the CRL to edit in the list

  • Click the fa-pencil icon at the end of the row for the CRL

  • Find the certificate in the list and click the fa-trash-can icon to remove it from the CRL

  • Click OK on the confirmation dialog

After removing a certificate, the CRL will be re-written if it is currently in use by any VPN instances so that the CRL changes will be immediately active.

Updating an Imported Certificate Revocation List

To update an imported CRL:

  • Navigate to System > Certificates, Certificate Revocation tab.

  • Locate the CRL to edit in the list

  • Click the fa-pencil icon at the end of the row for the CRL

  • Enter a new copy of the CRL Data

  • Click Save

After updating the imported CRL, it will be re-written if it is currently in use by any VPN instances so that the CRL changes will be immediately active.