[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Expired key?


  • Subject: Re: [Openvpn-users] Expired key?
  • From: Bradley Alexander <storm@xxxxxxx>
  • Date: 29 Jul 2002 21:55:02 -0400

On Mon, 2002-07-29 at 20:28, James Yonan wrote:
> Hi Bradley,
> 
> I've haven't heard of this problem before.  I have personally been running
> keys which were generated by the scripts in the "easy-rsa" directory, and
> those keys have been working fine for quite a bit more than 30 days.
> 
> Have you done anything with these default settings in the openssl.cnf file:
> 
> default_days = 365   # how long to certify for
> default_crl_days= 30   # how long before next CRL

i modified it based on your howto or some other SSL doc I read when I
was trying to set it up:

default_days    = 1000                  # how long to certify for
default_crl_days= 30                    # how long before next CRL

> Maybe somehow default_crl_days is kicking in?

Entirely possible. :)
 
> Also, the default -days parameter for openssl req -x509 is 30.  I don't know
> if you explicitly used -days when you generated the cert.
> 
> Try the following:
> 
> openssl x509 -inform PEM  -text -in my-cert.crt
> 
> openssl x509 -inform PEM  -text -in my-ca.crt
> 
> openssl verify -CAfile my-ca.crt my-cert.crt

The first two give the Not Before and Not After times I specified (1000
days). The verify gives a 

error 10 at 0 depth lookup:certificate has expired
OK

> This should give us some sense of what OpenSSL thinks about the certs,
> independently of OpenVPN.

Indeed it looks as if even while the certs are fine, the CA cert is
expired. Is there a way to refresh or extend the CA cert? If not, I'll
change the CA default_crl_days number. 
 
Thanks all,
-- 
--Brad
============================================================================
Bradley M. Alexander                |   storm [at] debian.org
Debian Developer, Security Engineer |   storm [at] tux.org
Debian/GNU Linux Developer          | Visit the 99th VFS website at:
MCO, 99th VFS 'Tuskegee Airmen'     |   http://99thvfs-ta.org
============================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
============================================================================
Ask people why they have deer heads on their walls and they tell you
it's because they're such beautiful animals. I think my wife is
beautiful, but I only have photographs of her on the wall.
						--George Carlin