On 9/27/2012 2:55 PM, Paul Heinlein wrote: > I'm fairly new to pfSense and completely new to this list, so please > forgive me if I'm asking a FAQ that my Google searches couldn't identify. > > We have an in-house certificate authority that signs VPN certificates > and issues certificate revocations. > > We don't have a ton of CRL churn, but often the revocations need to be > pushed to pfSense very quickly. > > My experience so far is that I have two bad choices: > > 1. Use the web GUI to paste the CRL into cert manager and > assign that CRL to each OpenVPN instance. This is bad because > I can't seem to update the CRL without OpenVPN restarting > and dropping connections. > > 2. scp the CRL to each /var/etc/openvpn/serverX.crl-verify (where > X is 1, 2, 3, etc.). This is bad because the web GUI is now > out of sync with the underlying filesystem. > > Am I missing a cleaner solution, one that allows a CRL update without > restarting the openvpn binary?
Why the reluctance to restart OpenVPN? Seems to me you'd want to kill all active connections to ensure that the newly revoked certificate is not in use. At most the remote sites would have ~60 seconds of downtime after the server is restarted. There really wouldn't be a good way to manage that from the GUI, write it out to the FS, and not restart OpenVPN. At least not the way the GUI for that is currently coded. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
