I’ve only seen a single post on CRL’s for certificates in OpenVPN. [Or CRL’s for any certificates anywhere for that matter]
It appears there’s no functional way to use CRL’s in RoS.
Is this still the case?
If so, the only way to block a OpenVPN user is to change/delete their PPP secrets config, correct?
[We’ll allow them to “connect” to the OVPN server and allow any damage they can do there, but block the PPP connect?]
Why the heck isn’t a CRL implemented in RoS by now?
TIA
-Greg
Lots of posts complaining about “openVPN” feature of rOS being so partial it’s barely openVPN at all.
CRL is like UDP, LZO and every other modern openVPN features: “won’t implement” is the official answer.
I know all about OpenVPN and MikroTik’s HORRIBLE implementation record.
However, I’ve not seen any posts saying that Mikrotik has said they will never impliment CRL’s.
Can you point me to that?
[I’m not saying they will, just that I’d like to see for myself where they say they won’t.]
-Greg
We are working on CRL, it will be in version 6.
Ok, good to know.
I still don’t get a freakin bit of MT logic on their OpenVPN topic.
i have upgraded to ROS 6 und built my own self signed CA.
when i revoke my client certificate the openvpn connection is still working.
it looks like that the openvpn-server does not check the built-in CRL?
can anybody confirm that ?
Currently only Ipsec and SSTP respects CRLs. This was also mentioned in changelog and wiki.
thanks for the answer - i’ve already checked the system/certificate wiki-page but didn’t found anything.
are there any plans to support CRL in openvpn in near future?
http://wiki.mikrotik.com/wiki/Manual:What's_New_In_v6#Certificates
Not at the moment, but we might add it in the future.
Any news?
Bumping up…
I’ll put it this way - so far Mikrotik wins with most vendors on functionality, flexibility and price but this kind of gaps makes it non-starter for really serious deployments where security is not an optional bolt-on but absolute baseline requirement. I’d like to see some implementation timeline if possible.
I can confirm it working on 6.36.2 but not exactly straight. There is a bug in GUI that causes ca crl host to be empty after signing.
When You sign a certificate there is a field for CRL host and it does nothing. Signing from terminal works fine and CRL host is set.
Then the revocation of certificates is respected and revoked certs are denied connection.
Phew at last. Just correct this bug please 
Hi.
I have a little different question - in current ROS (6.41.2) if I revoke certificate of client (another Routerboard device) the connection is not interrupted. To break the connection I needed to disable / enable OVPN Server Binding.
Of course, I can revoke the certificate through a script to do everything with one command, but is it really the user who should be following such things?