[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] RE: certificate has expried


  • Subject: [Openvpn-users] RE: certificate has expried
  • From: "Mark Dootson" <spamdog@xxxxxxxxxxx>
  • Date: Wed, 26 May 2004 15:50:02 +0100
  • Importance: Normal

Hi,

The default_crl_days has nothing to do with your 'certificate expired'
message. Check the dates on your cert and the date on the system you are
validating it on. I would guess the date was incorrectly set either on the
system where you created the cert or on the system you are validating it on.
Time to issue another cert!

A CRL is a Certificate Revocation List. When you issue a cert for say, 365
days, its useful to have a method whereby you can revoke its validity before
it expires. For example, if it is compromised (password stolen, etc). So the
Cerificate Authority (you in this case) issues a Revocation List
periodically listing which certs have been revoked.
The client application doesn't want to have to look for a new list every
time it validates a cert so each Revocation list has an expiry date. The
'default_crl_days' param in the config file just specifies the default
lifetime of any CRLs you might issue if you don't set an explicit expiry
date.

OpenVPN doesn't check crl's by default. You have to explicitly use the
--crl-verify option in your config file. (And, of course, issue CRL's)

If you'd like to know how to issue CRL's and manage your certs/keys in
general see http://www.openssl.org/docs/apps/ca.html

Good Luck!


Mark



Spam detection software, running on the system "persephone.dootson.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Hi, The default_crl_days has nothing to do with your
  'certificate expired' message. Check the dates on your cert and the
  date on the system you are validating it on. I would guess the date was
  incorrectly set either on the system where you created the cert or on
  the system you are validating it on. Time to issue another cert! [...] 

Content analysis details:   (-2.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.4 BAYES_20               BODY: Bayesian spam probability is 20 to 30%
                            [score: 0.2338]
-0.7 AWL                    AWL: Auto-whitelist adjustment