On Thu, 02 Mar 2023 14:01:24 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>------- Original Message ------- >On Thursday, March 2nd, 2023 at 10:12, Bo Berglund <bo.bergl...@gmail.com> >wrote: > > >> I have downloaded easy-rsa3 version to my OpenVPN server for testing. >> I did so using wget on the v3.1.2/EasyRSA-3.1.2.tgz file below Releases at >> GitHub. >> >> When I read the vars.example file I see that most of what I had to do in the >> vars file before is not really needed anymore. :-) >> >> But there are a couple of things regarding certs I don't understand fully so >> would like to get explained: >> >> # In how many days should the root CA key expire? >> # >> #set_var EASYRSA_CA_EXPIRE 3650 >> >> Obviously based on earlier discussions here about looming expirations I would >> like to do this to raise the time to 20 years: >> >> set_var EASYRSA_CA_EXPIRE 7300 >> >> However, the following seems also to be involved with expirations but I don't >> know for sure what to do... >> >> Do I need to also set these to 7300 to get a 20 yesr "working time"? >> >> # In how many days should certificates expire? >> # >> #set_var EASYRSA_CERT_EXPIRE 825 > > >This seems to me to be self-explanatory: > >* EASYRSA_CA_EXPIRE the CA certificate validity period. > >* EASYRSA_CERT_EXPIRE the entity certificate validity period. I have no real knowledge of what these files do, except I have understood that CA is used to validate to the client somehow. How that relates to CERT is unknown by me. I just set this up a number of years ago following a then valid how-to and later I have figured out that in a couple of years or so the server will no longer work unless I do something about CA expiration. That is why I got confused by the easy-rsa3 defaut having different times for CA and CERT. > >> >> # How many days until the next CRL publish date? Note that the CRL can still >> # be parsed after this timeframe passes. It is only used for an expected next >> # publication date. >> # >> #set_var EASYRSA_CRL_DAYS 180 >> >> Isn't the last one dealing with client cert revocations? >> >> Does it imply some automatic renewal of the revocations such that one does >> not >> have to build and copy a new crl file every now and then even if no new user >> logins have to be revoked to keep the server operational at all? >> >> In easy-rsa2 there was no way to update a crl file without also revoking an >> additional user and the whole server locked up after a very short time of a >> month or so..... >> >> I had to disable crl handling for that very reason.... >> > >* EASYRSA_CRL_DAYS the CRL validity period. > >If you have a very static PKI then this can be a little irritating, >however, the default 180 days is the recommended value. I "solved" the problem in the server by switching from: crl-verify <path-to>/crl.pem to client-config-dir /etc/openvpn/ccdw and putting files with disabled in them into that dir and named as the common name of clients to block. So no need for the crl anymore. > >CRL validity period explained: > >If you revoke a certificate but forget to generate a new CRL then >the revoked cert. will still be allowed to connect. > >Having a very short validity period for the CRL is a security measure, >when it kicks in it ensures that the admin updates to a new CRL. > >The essential knowledge (Which you seem to not understand) is: > >The certificate remains unchanged by being revoked, only the CRL is >aware of which certificates are valid verses those that are revoked. > >(This is unlike certificate expiry because the 'not-after' field, >encoded INSIDE the certificate, denotes when the certificate expires.) > >Therefore, if you intend to revoke certificates (as opposed to all >the other options that OpenVPN has available) then you MUST keep your >CRL up-to-date. > >EasyRSA-3 "could" also be like EasyRSA-2 and do an automatic 'gen-crl' >when a certificate is revoked. However, at this time it does not. > >It does come with this helpful message after a successful revoke: > >---- > * IMPORTANT * > >Revocation was successful. You must run 'gen-crl' and upload a new CRL to your >infrastructure in order to prevent the revoked certificate from being >accepted." >---- Just asking about crl out of curiosity and to update my own OpenVPN-Config.md file where I keep notes concerning the server handling. Thanks for the reply! I will go back to your earlier comments regarding switching to easy-rsa3 now especially concerning how to migrate existing files from 2 to 3. And how to switch the server without having to replace all of the files including the client ovpn files.. PS: I saw you are the guy maintaining easy-rsa by the messages on GitHub. DS -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
