This section is a part of "Certificate Authorities and -Keys". Here, another CA authority can be uploaded, the CRL gives a view over the certificates which where revoked and a Diffie-Hellman parameter can be uploaded or optionally be generated.
To upload a CA instance click Choose File
The file uses the PEM format. Enter the "CA-name" without special characters or numbers. The upload is done by clicking Upload CA certificate.
The button "Show certificate revocation list" (also known as CRL)
can deliver technical informations, but lists primarily all certificates which where revoked.
If no certificates are revoked, a simple
No Revoked Certificates. is lined out in this list.
In case there where some certificates suspended, some similar entries like e.g. these
Revoked Certificates: Serial Number: 02 Revocation Date: Jun 17 08:41:25 2014 GMT
should be outlined.
Since IPFire doesn't provide at this time a possibility to revoke certificates over the web interface, the console needs to be used.
If you are interested in that, you can follow the short description now:
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -revoke /var/ipfire/ovpn/certs/RevokedZertTestcert.pem
cat /var/ipfire/ovpn/certs/index.txt V 47520513073408Z 01 unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungA/CN=beispiel.dyndns.org R 140618083718Z 140617084125Z 02 unknown /C=DE/ST=HH/O=IPFire/OU=AbteilungB/CN=RevokedZertTest
openssl ca -config /var/ipfire/ovpn/openssl/ovpn.cnf -gencrl -out /var/ipfire/ovpn/crls/cacrl.pem
From now on the chosen client are suspended.
The possibility to generate or upload a new Diffie-Hellman parameter was integrated in IPFire. This parameter is responsible for the generation of the session key and it can be generated with different bit lengths. The DH generation is now also independent of the complete PKI generation like it was before but also flexible by configuring the big length.
Pick the desired bit length with 2048, 3072 or 4096 for the DH parameter, which now will be generated on IPFire.
The generation of large bit lengths can take time. A bit length of 2048 can take 30 minutes. A bit length of 3072 can take 2.5 hours. A bit length of 4096 can take 5.5 hours. This is on an Intel Celeron CPU J1900 at 2GHz. The appropriate mainboard should not only deliver enough power but should also (which is important) deliver good entropy.
|With large bit lengths (e.g., 3072 or 4096) it is possible the generation process will not finish. This can happen with weak boards or strong boards with less entropy. In that case, an external generated DH parameter should be integrated using the upload function (explained above).|
At the bottom of the web interface the possibility to delete the whole certificate authority but also all keys and clients and client related data can be found.
The button leads you to this site
if you confirm it by pressing the "RemoveX509" button, all connections will be deleted, the whole certificate authority too, the certificate database (index.txt and serial) will also be reseted and starts closely from zero. It's almost like you start from the beginning, only the server configuration and the configured "static IP address pools" will be left untouched.