Changes between Version 1 and Version 2 of Ticket #422, comment 8


Ignore:
Timestamp:
05/24/15 09:08:22 (6 years ago)
Author:
Steffan Karger
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #422, comment 8

    v1 v2  
    11Now that I look a bit closer, I think I do understand.
    22
    3 OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs.  (edit: ignore this previous text ~~When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.~~)  When using the `capath` option, OpenVPN enforces you also supply valid CRLs.  To do so, use the `crl-verify` option.
     3OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs.  (edit: ignore this previous text ~~When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.~~)  When using the `capath` option, OpenVPN enforces you also supply valid CRLs.  To do so, put the CRLs in the capath dir too, name or linked as <hash>.r<n> (eg if your ca cert name/link is ffb84ff2.0, the crl name/link is ffb84ff2.r0).
    44
    55I can can get the same behaviour from OpenSSL: