I'm fairly new to pfSense and completely new to this list, so please
forgive me if I'm asking a FAQ that my Google searches couldn't
identify.
We have an in-house certificate authority that signs VPN certificates
and issues certificate revocations.
We don't have a ton of CRL churn, but often the revocations need to be
pushed to pfSense very quickly.
My experience so far is that I have two bad choices:
1. Use the web GUI to paste the CRL into cert manager and
assign that CRL to each OpenVPN instance. This is bad because
I can't seem to update the CRL without OpenVPN restarting
and dropping connections.
2. scp the CRL to each /var/etc/openvpn/serverX.crl-verify (where
X is 1, 2, 3, etc.). This is bad because the web GUI is now
out of sync with the underlying filesystem.
Am I missing a cleaner solution, one that allows a CRL update without
restarting the openvpn binary?
Thanks!
--
Paul Heinlein
[email protected]
45°38' N, 122°6' W
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
