I had some problems with the new version of openVPN; it includes openSSL version 3, which by default forbids several more broken ciphers like SHA-1. Previously, pfsense didn't have a default value for the hash used for a certificate, so our pfsense admins created several sha-1 certificates among a large number of users (it happens to be first in alphabetical order).
pfsense unfortunately doesn't display a lot of technical info about certificates and CAs in the relevant tables.
I made a feature to track individual certificates, useful for openVPN, by reading them out with PHP's openssl_* functions, and caching this information to a private file in /root/.ssl, so you can;
Get notified by zabbix when a certificate is about to expire (28 days ahead), warned when it has expired.
Get a warning when a certificate uses lower security standard than set (default = 112 bits).
Still todo: update the zabbix version 4 template. I don't see a good way of backporting to it.
I had some problems with the new version of openVPN; it includes openSSL version 3, which by default forbids several more broken ciphers like SHA-1. Previously, pfsense didn't have a default value for the hash used for a certificate, so our pfsense admins created several sha-1 certificates among a large number of users (it happens to be first in alphabetical order).
pfsense unfortunately doesn't display a lot of technical info about certificates and CAs in the relevant tables.
I made a feature to track individual certificates, useful for openVPN, by reading them out with PHP's openssl_* functions, and caching this information to a private file in /root/.ssl, so you can;
Still todo: update the zabbix version 4 template. I don't see a good way of backporting to it.