Hello everyone
I have a little understanding problem with the use of the variable EASYRSA_CRL_DAYS. The default value is 180 days.
Does this mean if I revoke a certificate in the file crl.pem, that the revocation will be revoked after 180 days? Or does that mean that a client certificate is automatically revoked after 180 days? What happens if I set it to 1 year, consistent with CERT / CA_EXPIRE.
The online translators are sometimes not very clear.
Thank you!
Greetings
Martin
[solved] The Meaning of EASYRSA_CRL_DAYS
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 17, 2018 9:13 am
[solved] The Meaning of EASYRSA_CRL_DAYS
Last edited by MaddinR on Mon Sep 17, 2018 5:43 pm, edited 1 time in total.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 17, 2018 9:13 am
Re: The Meaning of EASYRSA_CRL_DAYS
Hello @ all
After a further searching (again some hours) in the web, it seems I have found a possible explanation. But I am unsure again.
If EASYRSA_CRL_DAYS=180 set, the CRL-List must be republished after 180 days, even if nothing has changed, otherwise it leads to the "VERIFY ERROR, CRL has expired" like showed in den Link
https://github.com/Nyr/openvpn-install/issues/352
The following Statement do the republish:
Is that the way it works?
After a further searching (again some hours) in the web, it seems I have found a possible explanation. But I am unsure again.
If EASYRSA_CRL_DAYS=180 set, the CRL-List must be republished after 180 days, even if nothing has changed, otherwise it leads to the "VERIFY ERROR, CRL has expired" like showed in den Link
https://github.com/Nyr/openvpn-install/issues/352
The following Statement do the republish:
Code: Select all
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: The Meaning of EASYRSA_CRL_DAYS
If you use Easy-RSA then you can specify your own CRL period in the configuration file vars.
Also, Easy-RSA has a gen-crl command.
Also, Easy-RSA has a gen-crl command.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 17, 2018 9:13 am
Re: The Meaning of EASYRSA_CRL_DAYS
Thank you for your answer, but I think (?), I already knew that. My problem is, what happens after the default 180 days. It seems that if 180 days are set and the CRL is older than 180 days, no further connections are allowed, even if other certs/keys themselves are still valid.
Is that so?
Is that so?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: The Meaning of EASYRSA_CRL_DAYS
That is correct, however, it is a decision implemented by the SSL Library not OpenVPN itself.
The simplest solution is:
- If you do not have any revoked certificates then do not use a CRL.
If you do have revoked certificates then you are going to have to learn about PKI Management.
-
- OpenVpn Newbie
- Posts: 10
- Joined: Mon Sep 17, 2018 9:13 am
Re: The Meaning of EASYRSA_CRL_DAYS
I thank you. But right now nothing is unclear to me.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: [solved] The Meaning of EASYRSA_CRL_DAYS
Computer security is insanely complex .. so being clear as mud is about right, in general ..
https://community.openvpn.net/openvpn/w ... istExpired
https://community.openvpn.net/openvpn/w ... istExpired