it apears a bit clear. in fact, i had:
expired delais 365 days and crl delai 30 days.
when i set expired period at 36500 days, the certificate genered would be expired in 1968 ! google says that's a openssl's time bug. so, i set it at 10000 days ( about 30 years i think).
thinks a lot 4 ur helps.
-- richard venne dental-on-line 01 43 27 94 24
The default_crl_days has nothing to do with your 'certificate expired' message. Check the dates on your cert and the date on the system you are validating it on. I would guess the date was incorrectly set either on the system where you created the cert or on the system you are validating it on. Time to issue another cert!
A CRL is a Certificate Revocation List. When you issue a cert for say, 365 days, its useful to have a method whereby you can revoke its validity before it expires. For example, if it is compromised (password stolen, etc). So the Cerificate Authority (you in this case) issues a Revocation List periodically listing which certs have been revoked. The client application doesn't want to have to look for a new list every time it validates a cert so each Revocation list has an expiry date. The 'default_crl_days' param in the config file just specifies the default lifetime of any CRLs you might issue if you don't set an explicit expiry date.
OpenVPN doesn't check crl's by default. You have to explicitly use the --crl-verify option in your config file. (And, of course, issue CRL's)
If you'd like to know how to issue CRL's and manage your certs/keys in general see http://www.openssl.org/docs/apps/ca.html
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users