[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] RE: RE: certificate has expried

  • Subject: [Openvpn-users] RE: RE: certificate has expried
  • From: venne <richard@xxxxxxxxxxxxxxxxx>
  • Date: Tue, 01 Jun 2004 15:34:29 +0200

it apears a bit clear. in fact, i had:

expired delais 365 days
and crl delai 30 days.

when i set expired period at 36500 days, the certificate genered would be expired in 1968 ! google says that's a openssl's time bug. so, i set it at 10000 days ( about 30 years i think).

thinks a lot 4 ur helps.

richard venne
01 43 27 94 24


The default_crl_days has nothing to do with your 'certificate expired'
message. Check the dates on your cert and the date on the system you are
validating it on. I would guess the date was incorrectly set either on the
system where you created the cert or on the system you are validating it on.
Time to issue another cert!

A CRL is a Certificate Revocation List. When you issue a cert for say, 365
days, its useful to have a method whereby you can revoke its validity before
it expires. For example, if it is compromised (password stolen, etc). So the
Cerificate Authority (you in this case) issues a Revocation List
periodically listing which certs have been revoked.
The client application doesn't want to have to look for a new list every
time it validates a cert so each Revocation list has an expiry date. The
'default_crl_days' param in the config file just specifies the default
lifetime of any CRLs you might issue if you don't set an explicit expiry

OpenVPN doesn't check crl's by default. You have to explicitly use the
--crl-verify option in your config file. (And, of course, issue CRL's)

If you'd like to know how to issue CRL's and manage your certs/keys in
general see http://www.openssl.org/docs/apps/ca.html

Good Luck!

Openvpn-users mailing list