Changes between Version 1 and Version 2 of Ticket #422, comment 8
- Timestamp:
- 05/24/15 09:08:22 (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #422, comment 8
v1 v2 1 1 Now that I look a bit closer, I think I do understand. 2 2 3 OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs. (edit: ignore this previous text ~~When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.~~) When using the `capath` option, OpenVPN enforces you also supply valid CRLs. To do so, use the `crl-verify` option.3 OpenVPN complains about not being able to find/retrieve the CRL specified in one of your (sub) CAs. (edit: ignore this previous text ~~When using the `capath` option, you can't use the `crl` option to supply CRLs for all the CAs in the capath, so OpenVPN configures OpenSSL to automatically retrieve and check the CRLs listed in the CA certificate for you.~~) When using the `capath` option, OpenVPN enforces you also supply valid CRLs. To do so, put the CRLs in the capath dir too, name or linked as <hash>.r<n> (eg if your ca cert name/link is ffb84ff2.0, the crl name/link is ffb84ff2.r0). 4 4 5 5 I can can get the same behaviour from OpenSSL: