-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
------- Original Message -------
On Thursday, March 2nd, 2023 at 10:12, Bo Berglund <bo.bergl...@gmail.com>
wrote:
> I have downloaded easy-rsa3 version to my OpenVPN server for testing.
> I did so using wget on the v3.1.2/EasyRSA-3.1.2.tgz file below Releases at
> GitHub.
>
> When I read the vars.example file I see that most of what I had to do in the
> vars file before is not really needed anymore. :-)
>
> But there are a couple of things regarding certs I don't understand fully so
> would like to get explained:
>
> # In how many days should the root CA key expire?
> #
> #set_var EASYRSA_CA_EXPIRE 3650
>
> Obviously based on earlier discussions here about looming expirations I would
> like to do this to raise the time to 20 years:
>
> set_var EASYRSA_CA_EXPIRE 7300
>
> However, the following seems also to be involved with expirations but I don't
> know for sure what to do...
>
> Do I need to also set these to 7300 to get a 20 yesr "working time"?
>
> # In how many days should certificates expire?
> #
> #set_var EASYRSA_CERT_EXPIRE 825
This seems to me to be self-explanatory:
* EASYRSA_CA_EXPIRE the CA certificate validity period.
* EASYRSA_CERT_EXPIRE the entity certificate validity period.
>
> # How many days until the next CRL publish date? Note that the CRL can still
> # be parsed after this timeframe passes. It is only used for an expected next
> # publication date.
> #
> #set_var EASYRSA_CRL_DAYS 180
>
> Isn't the last one dealing with client cert revocations?
>
> Does it imply some automatic renewal of the revocations such that one does not
> have to build and copy a new crl file every now and then even if no new user
> logins have to be revoked to keep the server operational at all?
>
> In easy-rsa2 there was no way to update a crl file without also revoking an
> additional user and the whole server locked up after a very short time of a
> month or so.....
>
> I had to disable crl handling for that very reason....
>
* EASYRSA_CRL_DAYS the CRL validity period.
If you have a very static PKI then this can be a little irritating,
however, the default 180 days is the recommended value.
CRL validity period explained:
If you revoke a certificate but forget to generate a new CRL then
the revoked cert. will still be allowed to connect.
Having a very short validity period for the CRL is a security measure,
when it kicks in it ensures that the admin updates to a new CRL.
The essential knowledge (Which you seem to not understand) is:
The certificate remains unchanged by being revoked, only the CRL is
aware of which certificates are valid verses those that are revoked.
(This is unlike certificate expiry because the 'not-after' field,
encoded INSIDE the certificate, denotes when the certificate expires.)
Therefore, if you intend to revoke certificates (as opposed to all
the other options that OpenVPN has available) then you MUST keep your
CRL up-to-date.
EasyRSA-3 "could" also be like EasyRSA-2 and do an automatic 'gen-crl'
when a certificate is revoked. However, at this time it does not.
It does come with this helpful message after a successful revoke:
----
* IMPORTANT *
Revocation was successful. You must run 'gen-crl' and upload a new CRL to your
infrastructure in order to prevent the revoked certificate from being accepted."
----
HTH
Richard
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsBzBAEBCAAnBQJkAKwZCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr
kLidAABGewgAodk7ACyhzhRLahrDmqIvhEMbud1goTEhXnBB2Sv43PQMWqYj
4PvPtiykjBlHldX8cDZCD4KWfLc58G/Lse4Z0mk9oNleBIH/4VfbotuYe4ab
nPU8wdcSXfnB+86i6ep+2zBGu08KY3sJkXUgS6hM+uMVWmYGPX4O3F5ni+8o
DDxa5qkTu5XvupSfBa9fCxVpduTBKviWAtRTSuZwCAzOXxFM/5C9t10dtMJC
wWNn6SWMe3VeXDSBkJnU7U2TzD5iHOyb6E3H7XiyQKLJHs0KESeeoUiltjXz
3UAeMCxRAmfk1VuiSsn8DBVMrFAuCZFEGrfJa3QN5YXHW7tYdgVqAA==
=Ftoy
-----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
