[solved] The Meaning of EASYRSA_CRL_DAYS

Support forum for Easy-RSA certificate management suite.
Post Reply
MaddinR
OpenVpn Newbie
Posts: 9
Joined: Mon Sep 17, 2018 9:13 am

[solved] The Meaning of EASYRSA_CRL_DAYS

Post by MaddinR » Mon Sep 17, 2018 9:30 am

Hello everyone

I have a little understanding problem with the use of the variable EASYRSA_CRL_DAYS. The default value is 180 days.

Does this mean if I revoke a certificate in the file crl.pem, that the revocation will be revoked after 180 days? Or does that mean that a client certificate is automatically revoked after 180 days? What happens if I set it to 1 year, consistent with CERT / CA_EXPIRE.

The online translators are sometimes not very clear.

Thank you!

Greetings
Martin
Last edited by MaddinR on Mon Sep 17, 2018 5:43 pm, edited 1 time in total.

MaddinR
OpenVpn Newbie
Posts: 9
Joined: Mon Sep 17, 2018 9:13 am

Re: The Meaning of EASYRSA_CRL_DAYS

Post by MaddinR » Mon Sep 17, 2018 12:58 pm

Hello @ all

After a further searching (again some hours) in the web, it seems I have found a possible explanation. But I am unsure again.

If EASYRSA_CRL_DAYS=180 set, the CRL-List must be republished after 180 days, even if nothing has changed, otherwise it leads to the "VERIFY ERROR, CRL has expired" like showed in den Link
https://github.com/Nyr/openvpn-install/issues/352

The following Statement do the republish:

Code: Select all

openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf
Is that the way it works?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5089
Joined: Fri Jun 03, 2016 1:17 pm

Re: The Meaning of EASYRSA_CRL_DAYS

Post by TinCanTech » Mon Sep 17, 2018 1:34 pm

If you use Easy-RSA then you can specify your own CRL period in the configuration file vars.
Also, Easy-RSA has a gen-crl command.

MaddinR
OpenVpn Newbie
Posts: 9
Joined: Mon Sep 17, 2018 9:13 am

Re: The Meaning of EASYRSA_CRL_DAYS

Post by MaddinR » Mon Sep 17, 2018 1:44 pm

Thank you for your answer, but I think (?), I already knew that. My problem is, what happens after the default 180 days. It seems that if 180 days are set and the CRL is older than 180 days, no further connections are allowed, even if other certs/keys themselves are still valid.

Is that so?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5089
Joined: Fri Jun 03, 2016 1:17 pm

Re: The Meaning of EASYRSA_CRL_DAYS

Post by TinCanTech » Mon Sep 17, 2018 2:29 pm

MaddinR wrote:
Mon Sep 17, 2018 1:44 pm
what happens after the default 180 days. It seems that if 180 days are set and the CRL is older than 180 days, no further connections are allowed, even if other certs/keys themselves are still valid
That is correct, however, it is a decision implemented by the SSL Library not OpenVPN itself.

The simplest solution is:
  • If you do not have any revoked certificates then do not use a CRL.

If you do have revoked certificates then you are going to have to learn about PKI Management.

MaddinR
OpenVpn Newbie
Posts: 9
Joined: Mon Sep 17, 2018 9:13 am

Re: The Meaning of EASYRSA_CRL_DAYS

Post by MaddinR » Mon Sep 17, 2018 5:42 pm

I thank you. But right now nothing is unclear to me.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5089
Joined: Fri Jun 03, 2016 1:17 pm

Re: [solved] The Meaning of EASYRSA_CRL_DAYS

Post by TinCanTech » Mon Sep 17, 2018 8:36 pm

Computer security is insanely complex .. so being clear as mud is about right, in general ..

https://community.openvpn.net/openvpn/w ... istExpired

Post Reply