Back to configuration

This section is a part of "Certificate Authorities and -Keys". Here, another CA authority can be uploaded, the CRL gives a view over the certificates which where revoked and a Diffie-Hellman parameter can be uploaded or optionally be generated.

Upload CA certificate

To upload a CA instance click Choose File

The file uses the PEM format. Enter the "CA-name" without special characters or numbers. The upload is done by clicking Upload CA certificate.

Certificate Revocation List

The button "Show certificate revocation list" (also known as CRL)


can deliver technical informations, but lists primarily all certificates which where revoked.
If no certificates are revoked, a simple No Revoked Certificates. is lined out in this list.

In case there where some certificates suspended, some similar entries like e.g. these

Revoked Certificates:
  Serial Number: 02
      Revocation Date: Jun 17 08:41:25 2014 GMT

should be outlined.

Since IPFire doesn't provide at this time a possibility to revoke certificates over the web interface, the console needs to be used.

If you are interested in that, you can follow the short description now:

  1. The appropriate key (in {Clientname}cert.pem format) of the certificate which should be revoked (in this example named "RevokedZertTest") can be found under/var/ipfire/ovpn/certs. Now an OpenSSL command will be used to revoke it:
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -revoke /var/ipfire/ovpn/certs/RevokedZertTestcert.pem
  1. Another important file should be named in this context. The index.txt (findable under/var/ipfire/ovpn/certs) which is the certificate database and leads all entries for every certificate under different criteria, index.txt lists now all suspended certificates with an "R" (Revoked), the other ones got an "V" means Valid and "E" means Expired.
cat /var/ipfire/ovpn/certs/index.txt
V   47520513073408Z     01  unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungA/CN=beispiel.dyndns.org
R   140618083718Z   140617084125Z   02  unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungB/CN=RevokedZertTest
  1. After this step the CRL should be renewed with this command.
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

Since version 186 the location of ovpn.conf changed, so you need to execute the following command:

openssl ca -config /usr/share/openvpn/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

From now on the chosen client are suspended.

Diffie-Hellman-Parameter

Since Core Update 172 the Diffie-Hellman parameter has been fixed to ensure a secure parameter length is chosen and provided in the correct standardised format.
Core Update 172 Release

Remove X509

At the bottom of the web interface the possibility to delete the whole certificate authority but also all keys and clients and client related data can be found.
The button leads you to this site

if you confirm it by pressing the "RemoveX509" button, all connections will be deleted, the whole certificate authority too, the certificate database (index.txt and serial) will also be reseted and starts closely from zero. It's almost like you start from the beginning, only the server configuration and the configured "static IP address pools" will be left untouched.

Back to configuration