Version 3 (modified by 6 years ago) (diff) | ,
---|
OpenVPN 2.4 new Certificate Revocation List method.
Processing the Certificate Revocation List (CRL) in OpenVPN 2.4 is now handled by the Crypto Library with which OpenVPN has been built. This means the list is processed much more rigidly than before. (Previously, in OpenVPN 2.3, a built-in check was used).
Specifically, the Crypto Library (Usually OpenSSL) will check all
fields, this check includes the nextUpdate
field and CRLs with an
expired nextUpdate
field are flagged as expired by OpenSSL (The
built-in check in OpenVPN 2.3 did not check this field).
In order to fix this, regenerate the CRL with a new nextUpdate
value.
If you don't want your CRLs
expire put that value far enough into the future.
Using EasyRSA a new CRL
can be generated with ./easyrsa gen-crl
Source: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13806.html