Extended usage of CA and keys

Back to configuration

This section is a part of "Certificate Authorities and -Keys". Here, another CA authority can be uploaded, the CRL gives a view over the certificates which where revoked and a Diffie-Hellman parameter can be uploaded or optionally be generated.

Upload CA certificate

To upload a CA instance click Choose File

The file uses the PEM format. Enter the "CA-name" without special characters or numbers. The upload is done by clicking Upload CA certificate.

Certificate Revocation List

The button "Show certificate revocation list" (also known as CRL)

can deliver technical informations, but lists primarily all certificates which where revoked.
If no certificates are revoked, a simple No Revoked Certificates. is lined out in this list.

In case there where some certificates suspended, some similar entries like e.g. these

Revoked Certificates:
  Serial Number: 02
      Revocation Date: Jun 17 08:41:25 2014 GMT

should be outlined.

Since IPFire doesn't provide at this time a possibility to revoke certificates over the web interface, the console needs to be used.

If you are interested in that, you can follow the short description now:

  1. The appropriate key (in {Clientname}cert.pem format) of the certificate which should be revoked (in this example named "RevokedZertTest") can be found under/var/ipfire/ovpn/certs. Now an OpenSSL command will be used to revoke it:
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -revoke /var/ipfire/ovpn/certs/RevokedZertTestcert.pem
  1. Another important file should be named in this context. The index.txt (findable under/var/ipfire/ovpn/certs) which is the certificate database and leads all entries for every certificate under different criteria, index.txt lists now all suspended certificates with an "R" (Revoked), the other ones got an "V" means Valid and "E" means Expired.
cat /var/ipfire/ovpn/certs/index.txt
V   47520513073408Z     01  unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungA/CN=beispiel.dyndns.org
R   140618083718Z   140617084125Z   02  unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungB/CN=RevokedZertTest
  1. After this step the CRL should be renewed with this command.
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem

From now on the chosen client are suspended.

Diffie-Hellman-Parameter options

The possibility to generate or upload a new Diffie-Hellman parameter was integrated in IPFire. This parameter is responsible for the generation of the session key and it can be generated with different bit lengths. The DH generation is now also independent of the complete PKI generation like it was before but also flexible by configuring the big length.

  • Upload new Diffie-Hellman parameters: - By clicking Choose File a external generated DH-key can be uploaded and integrated in IPFire environment. Bit lengths of 2048, 3072 and 4096 are allowed and can be uploaded by clicking the "Upload Diffie-Hellman parameter". This DH-key needs to be present in a PKCS#3 format.

  • Generate new Diffie-Hellman parameters: - By clicking the button "Generate Diffie-Hellman parameter" the following section will be opened,

Pick the desired bit length with 2048, 3072 or 4096 for the DH parameter, which now will be generated on IPFire.

The generation of large bit lengths can take time. A bit length of 2048 can take 30 minutes. A bit length of 3072 can take 2.5 hours. A bit length of 4096 can take 5.5 hours. This is on an Intel Celeron CPU J1900 at 2GHz. The appropriate mainboard should not only deliver enough power but should also (which is important) deliver good entropy.

With large bit lengths (e.g., 3072 or 4096) it is possible the generation process will not finish. This can happen with weak boards or strong boards with less entropy. In that case, an external generated DH parameter should be integrated using the upload function (explained above).

Remove X509

At the bottom of the web interface the possibility to delete the whole certificate authority but also all keys and clients and client related data can be found.
The button leads you to this site

if you confirm it by pressing the "RemoveX509" button, all connections will be deleted, the whole certificate authority too, the certificate database (index.txt and serial) will also be reseted and starts closely from zero. It's almost like you start from the beginning, only the server configuration and the configured "static IP address pools" will be left untouched.

Back to configuration

Edit Page ‐ Yes, you can edit!

Older Revisions • January 20 at 11:06 am • ajftek user