[Swan] how/where to configure list of 'valid' certs

[John Crisp]

On 15/01/2024 11:40, Marc wrote:
> 
> Hmmm, I don't really get any results on how to revoke a cert. I am constantly getting this microsoft shit where there is an certutil -revoke argument.
> 

I'm sorry but I don't use Windows (for one of a thousand different 
reasons, but including yours)

No idea what you are running this on but from a brief read you may 
experience issues using a desktop version.

If you are handling multiple certs that change regularly then it may be 
easier for you to use a certificate server designed for the job.

eg read about "Certification Authority MMC Snap-In" and then something 
like "CA manager".

You can then create and revoke certificates and it will produce a CRL 
list that libreswan can read.

There are various offerings available online.

Personally I keep my certificate generation completely separate from my 
Libreswan installation - I just import new certs and either delete or 
import a CRL as required.


> I created a crl list with this:
> 
> crlutil -G -n "Example CA" -d sql:clientcertdb/ <<EOF
> update=20050204153000Z
> addcert 34-40 20050104153000Z
> EOF
> 
> How do I add a cert to this?
> 

I don't think you need to. The tool is for management of existing lists.

Just delete the certificate from the DB and it is revoked.

If you wanted another program to read the CRL you could then use crlutil 
to generate a new list. You could say pass it to another ipsec install.

NB Others may have better advice on all this - it is not my forte and I 
am happy to stand corrected on all of it!)