OpenVPN Support Forum

Posted: **Thu Jun 22, 2023 2:44 pm**

Hi all.
Is it possible to use multiple CRLs from one CA in OpenVPN configuration?
I have windows CA with 2 crls:
one updates every 12 hours - "Delta" CRL and second updates every 5 days "main" crl.
I concatenate them by openssl into one .pem file (just conver from DER to .pem and write into one crl.pem file) and OpenVPN server sees them, but blocking revoked certs only from one of them - "Delta" CRL.
It doesn't matter which one standing first in .pem file: delta or main.
OpenVPN server writes on load:

Code: Select all

 CRL: loaded 2 CRLs from file /etc/openvpn/ssl/crl.pem

So it can read them: delta and main.
Here is ca/crl config:

Code: Select all

ca "/etc/openvpn/ssl/ca.crt"
cert "/etc/openvpn/ssl/openvpnsrv.crt"
key "/etc/openvpn/ssl/openvpnsrv.key"
dh "/etc/openvpn/ssl/dh.pem"
crl-verify "/etc/openvpn/ssl/crl.pem"

How to force it to not only read all CRLs, but use it on client certificates too?

Posted: **Fri Jun 23, 2023 7:54 am**

Same behaviour with --capath and CRLs in ca_hash.r<n> format...
Blocking users only from one CRL. From delta_crl (it has a smaller list of revoked certs), doesn't matter on which position it stands ca_hash.r0 or ca_hash.r1 . Bigger CRL (main) is ignored =(.

Forgot to mention: there are two CAs RootCA and Issuing CA, CRLs are from Issuing CA. Root CRL is empty for now, but after some time it will be used to block clients in OpenVPN too, so it will be 3 CRLs.

CRLs works by one.

OpenVPN Support Forum

Multiple CRLs one CA

Multiple CRLs one CA

Re: Multiple CRLs one CA