| 1 | = OpenVPN 2.4 new Certificate Revocation List method. = |
| 2 | |
| 3 | Processing the Certificate Revocation List (CRL) in OpenVPN 2.4 is now |
| 4 | handled by the Crypto Library with which OpenVPN has been built. This |
| 5 | means the list is processed much more rigidly than before. |
| 6 | (Previously, in OpenVPN 2.3, a ''built-in'' check was used). |
| 7 | |
| 8 | Specifically, the Crypto Library (Usually OpenSSL) will check '''all''' |
| 9 | fields, this check includes the `nextUpdate` field and CRLs with an |
| 10 | expired `nextUpdate` field are flagged as '''expired''' by OpenSSL (The |
| 11 | ''built-in'' check in OpenVPN 2.3 did not check this field). |
| 12 | |
| 13 | In order to fix this, regenerate the CRL with a new `nextUpdate` value. |
| 14 | If you don't want your CRLs |
| 15 | expire put that value far enough into the future. |
| 16 | |
| 17 | Using [https://github.com/OpenVPN/easy-rsa/releases EasyRSA] a new CRL |
| 18 | can be generated with `./easyrsa gen-crl` |
| 19 | |
| 20 | Source: |
| 21 | https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13806.html |