How to revocate user certificate on pFSense (OpenVPN)

You have pFSense OpenVPN configured with local CA and user certificates, and now – somebody is leaving the company, or certificate is compromised, what should you do? Simply deleting user account or certificate is not a good practice, and it probably won`t work.


We need to setup certificate revocation.


I have two users

Zeljkomedic and zeljkomedicNEW

We will be revoking certificate for user: zeljkomedic and test it.

zeljkomedicNEW is the new user that will supersede user zeljkomedic


I have the LAB in place and you can check my VPN related articles here:


Open VPN Setup:


First step – Enable Certificate Revocation


Login to your pFSense webConfigurator


System | Cert.Manager


Certificate Revocation |+ Add or Import CRL

Create new Revocation List | Method: Create an Internal Certificate Revocation List | Descriptive name: enter something that you can recognize | Certificate Authority: CA that you already created on that pFSense installation


Internal Certificate Revocation List | Lifetime (Days): Enter or leave default value | Serial: leave default | Save


We can see results immediately – BWRevocationList is created


Now, let’s add a user certificate to the list


We are still in System | Cert.Manager | Certificate Revocation

Select Edit CRL

We still don`t have any revoked certs, but we will select one under |Choose a Certificate to Revoke |

Under Certificate I`ll select ZeljkoMedic |Reason: select what you like, I`ll select Cessation of Operation | Add


After we clicked on Add certificate is added and we are back on the main page of Certificate Revocation with one certificate on BWRevocationList

Click again on Edit CRL


There it is – user certificate ZeljkoMedic is revoked


If we go to the System | Cert.Manager | Certificates we will se that User Certificate ZeljkoMedic is revoked


Looks easy and quick but we are not done yet


Next step is adding Revocation list to our VPN Server


VPN | OpenVPN | Servers | Edit


Cryptographic Settings | Peer Certificate Revocation list |Select your Revocation list – in my case it is BWRevocationList |scroll to the bottom of the page and Save


Next step is to try connect VPN client that uses user certificate zeljkomedic


No luck


That is a success – revoked certificate is no longer able to connect ot the pFSense OpenVPN


Very important information:

In case you delete certificate from revocation list (and certificate is still in certificate database) user will again be able to connect.

!!!Deleting user and certificate from the pFSense will not disable him from accessing VPN – you have to enable and configure revocation list – deleting certificates will not disable VPN connectivity.




Revocation list is must have in pFSense if you use certificates, deleting certificates or users won`t help you – only revocation list will.


pFSense article series:


How to install pFSense on Hyper-V –

How to configure pFSense –

How to define firewall rules on pFSense –

How to create port forwarding on pFSense –

How to setup OpenVPN on pFSense –

How to setup OpenVPN on client (pFSense) –

OpenVPN on pFSense: Enable access to the LAN resources –

How to revocate user certificate on pFSense –

How to import PFX certificate to pFSense –