<div dir="ltr"><div>Hi,</div><div><br></div><div>I'm trying to revoke Windows machine certificate. But it fails as below.</div><div>Could please someone help me ?</div><div><br></div><div>I made two machine certificate for Win-A, Win-B.</div><div>Windows is windows7 and I setup it based on <a href="https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs">https://wiki.strongswan.org/projects/strongswan/wiki/Win7Certs</a>.</div><div>strongSwan is 5.5.3 and ipsec.conf is below.</div><div>-------------------------------</div><div>conn win_client</div><div>        left            = %defaultroute</div><div>        leftauth        = pubkey</div><div>        leftcert        = serverCert.pem</div><div>        leftsubnet      = <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div>        leftid          = @<test-server></div><div>        #</div><div>        right           = %any</div><div>        rightsourceip   = %pool</div><div>        rightid         = "C=XX, O=YYY, CN=*"</div><div>        rightdns        = 8.8.8.8,8.8.8.1,8.8.8.2</div><div>        #</div><div>        fragmentation   = yes</div><div>        keyexchange     = ikev2</div><div>        ike             = aes256-sha1-modp1024!</div><div>        esp             = aes256-sha1!</div><div>        rekey           = no</div><div>        dpdaction       = clear</div><div>        dpddelay        = 30s</div><div>        dpdtimeout      = 90s</div><div>        auto            = add</div><div>-------------------------------</div><div><br></div><div>Then, the both Windows7 is able to connect strongSwan.</div><div><br></div><div>I made revoke file for Win-A and put it in /etc/ipsec.d/crls/ as below.</div><div>--------------------</div><div>Certificate Revocation List (CRL):</div><div>        Version 2 (0x1)</div><div>    Signature Algorithm: sha256WithRSAEncryption</div><div>        Issuer: /C=XX/O=YYY/CN=ZZZ CA</div><div>        Last Update: Sep  6 02:04:02 2017 GMT</div><div>        Next Update: Jan  7 02:04:02 2027 GMT</div><div>        CRL extensions:</div><div>            X509v3 Authority Key Identifier:</div><div>                keyid:87:50:D9:C2:07:27:33:C1:8B:66:67:7E:CB:08:82:6C:03:9E:F0:F5</div><div><br></div><div>            X509v3 CRL Number:</div><div>                1</div><div>Revoked Certificates:</div><div>    Serial Number: 03</div><div>        Revocation Date: Sep  6 02:04:02 2017 GMT</div><div>        CRL entry extensions:</div><div>            X509v3 CRL Reason Code:</div><div>                Superseded</div><div>    Signature Algorithm: sha256WithRSAEncryption</div><div>         40:34:d4:42:54:d2:a7:79:64:ad:58:5c:9a:56:a3:93:95:b3:</div><div>         b0:43:81:8d:b9:72:a4:cb:de:a3:9c:91:17:e6:6f:a4:62:94:</div><div>         7f:5d:24:be:b7:8c:7b:32:55:bb:7c:8a:65:c8:05:6f:c4:3c:</div><div>         e5:b9:a6:ff:3c:11:e0:24:ab:72:f1:cb:91:a1:db:a4:cf:e1:</div><div>         43:4b:87:f9:36:39:92:7a:03:67:51:0d:9e:29:9f:48:6c:6c:</div><div>         0c:87:02:44:ba:3f:b7:bd:ca:6c:d0:0e:80:5a:55:3c:cb:26:</div><div>         fe:8b:90:11:1a:d0:6f:73:77:cc:2a:db:29:14:9c:bd:c4:07:</div><div>         cb:9c</div><div>----------------------</div><div><br></div><div>And I executed following command.</div><div>----------------------</div><div>ipsec rereadcrls</div><div>ipsec purgecrls</div><div>----------------------</div><div><br></div><div>Then Win-A failed to connect strongSwan. But Win-B can connect strongSwan.</div><div><br></div><div><br></div><div>Next, I add revoke for Win-B, and put it in /etc/ipsec.d/crls/ as below.</div><div>----------------------</div><div>Certificate Revocation List (CRL):</div><div>        Version 2 (0x1)</div><div>    Signature Algorithm: sha256WithRSAEncryption</div><div>        Issuer: /C=XX/O=YYY/CN=ZZZ CA</div><div>        Last Update: Sep  6 07:09:48 2017 GMT</div><div>        Next Update: Jan  7 07:09:48 2027 GMT</div><div>        CRL extensions:</div><div>            X509v3 Authority Key Identifier:</div><div>                keyid:87:50:D9:C2:07:27:33:C1:8B:66:67:7E:CB:08:82:6C:03:9E:F0:F5</div><div><br></div><div>            X509v3 CRL Number:</div><div>                1</div><div>Revoked Certificates:</div><div>    Serial Number: 03</div><div>        Revocation Date: Sep  6 07:04:35 2017 GMT</div><div>        CRL entry extensions:</div><div>            X509v3 CRL Reason Code:</div><div>                Superseded</div><div>    Serial Number: 04</div><div>        Revocation Date: Sep  6 07:09:48 2017 GMT</div><div>        CRL entry extensions:</div><div>            X509v3 CRL Reason Code:</div><div>                Superseded</div><div>    Signature Algorithm: sha256WithRSAEncryption</div><div>         08:66:99:63:28:9f:59:d4:c8:21:40:68:f0:c0:f2:6e:ca:20:</div><div>         dc:d1:67:ff:9a:a8:90:48:5c:da:f2:02:a5:7a:9e:8e:1d:5f:</div><div>         b8:a6:9b:b1:6e:31:f5:47:71:79:48:f1:ab:62:97:fe:24:16:</div><div>         9c:f8:c1:97:74:fc:d9:b4:c2:c2:4f:1e:1c:d9:21:9f:ae:f2:</div><div>         8e:52:47:33:8e:ec:1e:06:bf:06:69:24:a8:70:b6:d7:23:9e:</div><div>         c8:96:fc:4b:ad:fa:d1:d3:95:f3:e2:2d:7a:4a:36:17:e7:ca:</div><div>         37:fa:85:a7:85:21:3a:4b:b1:a0:9f:a5:2e:19:ef:0d:56:25:</div><div>         36:4d</div><div>----------------------</div><div><br></div><div>And I executed following command again.</div><div>----------------------</div><div>ipsec rereadcrls</div><div>ipsec purgecrls</div><div>----------------------</div><div><br></div><div><br></div><div>Then, Win-A failed to connect strongSwan, and Win-B can connect strongSwan.</div><div><br></div><div>After that, I executed "ipsec restart". Both Win-A and Win-B failed to connect strongSwan.</div><div><br></div><div>I don't want to use "ipsec restart" because other IPsec sessions are disconnected.</div><div>How can I make enabled the revocation without disconnecting other's IPsec session ?</div><div><br></div><div>regards,</div><div>---</div><div>takumi kadode</div><div><br></div></div>