[Swan] how/where to configure list of 'valid' certs
John Crisp
jcrisp at safeandsoundit.co.uk
Mon Jan 15 14:40:36 EET 2024
On 15/01/2024 11:40, Marc wrote:
>
> Hmmm, I don't really get any results on how to revoke a cert. I am constantly getting this microsoft shit where there is an certutil -revoke argument.
>
I'm sorry but I don't use Windows (for one of a thousand different
reasons, but including yours)
No idea what you are running this on but from a brief read you may
experience issues using a desktop version.
If you are handling multiple certs that change regularly then it may be
easier for you to use a certificate server designed for the job.
eg read about "Certification Authority MMC Snap-In" and then something
like "CA manager".
You can then create and revoke certificates and it will produce a CRL
list that libreswan can read.
There are various offerings available online.
Personally I keep my certificate generation completely separate from my
Libreswan installation - I just import new certs and either delete or
import a CRL as required.
> I created a crl list with this:
>
> crlutil -G -n "Example CA" -d sql:clientcertdb/ <<EOF
> update=20050204153000Z
> addcert 34-40 20050104153000Z
> EOF
>
> How do I add a cert to this?
>
I don't think you need to. The tool is for management of existing lists.
Just delete the certificate from the DB and it is revoked.
If you wanted another program to read the CRL you could then use crlutil
to generate a new list. You could say pass it to another ipsec install.
NB Others may have better advice on all this - it is not my forte and I
am happy to stand corrected on all of it!)
More information about the Swan
mailing list