|
|
On Mon, 2002-07-29 at 20:28, James Yonan wrote: > Hi Bradley, > > I've haven't heard of this problem before. I have personally been running > keys which were generated by the scripts in the "easy-rsa" directory, and > those keys have been working fine for quite a bit more than 30 days. > > Have you done anything with these default settings in the openssl.cnf file: > > default_days = 365 # how long to certify for > default_crl_days= 30 # how long before next CRL i modified it based on your howto or some other SSL doc I read when I was trying to set it up: default_days = 1000 # how long to certify for default_crl_days= 30 # how long before next CRL > Maybe somehow default_crl_days is kicking in? Entirely possible. :) > Also, the default -days parameter for openssl req -x509 is 30. I don't know > if you explicitly used -days when you generated the cert. > > Try the following: > > openssl x509 -inform PEM -text -in my-cert.crt > > openssl x509 -inform PEM -text -in my-ca.crt > > openssl verify -CAfile my-ca.crt my-cert.crt The first two give the Not Before and Not After times I specified (1000 days). The verify gives a error 10 at 0 depth lookup:certificate has expired OK > This should give us some sense of what OpenSSL thinks about the certs, > independently of OpenVPN. Indeed it looks as if even while the certs are fine, the CA cert is expired. Is there a way to refresh or extend the CA cert? If not, I'll change the CA default_crl_days number. Thanks all, -- --Brad ============================================================================ Bradley M. Alexander | storm [at] debian.org Debian Developer, Security Engineer | storm [at] tux.org Debian/GNU Linux Developer | Visit the 99th VFS website at: MCO, 99th VFS 'Tuskegee Airmen' | http://99thvfs-ta.org ============================================================================ Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 ============================================================================ Ask people why they have deer heads on their walls and they tell you it's because they're such beautiful animals. I think my wife is beautiful, but I only have photographs of her on the wall. --George Carlin |