Page 1 of 1
[solved] The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 9:30 am
by MaddinR
Hello everyone
I have a little understanding problem with the use of the variable EASYRSA_CRL_DAYS. The default value is 180 days.
Does this mean if I revoke a certificate in the file crl.pem, that the revocation will be revoked after 180 days? Or does that mean that a client certificate is automatically revoked after 180 days? What happens if I set it to 1 year, consistent with CERT / CA_EXPIRE.
The online translators are sometimes not very clear.
Thank you!
Greetings
Martin
Re: The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 12:58 pm
by MaddinR
Hello @ all
After a further searching (again some hours) in the web, it seems I have found a possible explanation. But I am unsure again.
If EASYRSA_CRL_DAYS=180 set, the CRL-List must be republished after 180 days, even if nothing has changed, otherwise it leads to the "VERIFY ERROR, CRL has expired" like showed in den Link
https://github.com/Nyr/openvpn-install/issues/352
The following Statement do the republish:
Code: Select all
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
Is that the way it works?
Re: The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 1:34 pm
by TinCanTech
If you use Easy-RSA then you can specify your own CRL period in the configuration file vars.
Also, Easy-RSA has a gen-crl command.
Re: The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 1:44 pm
by MaddinR
Thank you for your answer, but I think (?), I already knew that. My problem is, what happens after the default 180 days. It seems that if 180 days are set and the CRL is older than 180 days, no further connections are allowed, even if other certs/keys themselves are still valid.
Is that so?
Re: The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 2:29 pm
by TinCanTech
MaddinR wrote: ↑Mon Sep 17, 2018 1:44 pm
what happens after the default 180 days. It seems that if 180 days are set and the CRL is older than 180 days, no further connections are allowed, even if other certs/keys themselves are still valid
That is correct, however, it is a decision implemented by the SSL Library not OpenVPN itself.
The simplest solution is:
- If you do not have any revoked certificates then do not use a CRL.
If you do have revoked certificates then you are going to have to learn about PKI Management.
Re: The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 5:42 pm
by MaddinR
I thank you. But right now nothing is unclear to me.
Re: [solved] The Meaning of EASYRSA_CRL_DAYS
Posted: Mon Sep 17, 2018 8:36 pm
by TinCanTech
Computer security is
insanely complex .. so being
clear as mud is about right, in general ..
https://community.openvpn.net/openvpn/w ... istExpired