So, I'm working with an EAP-TLS system running under freeradius. I've setup things to use a CRL [not OSCP] to revoke certificates and all works well.
However, the parameter default_crl_days=XXX puzzles me. Through trial and error [mostly error] I know that if I don't regenerate the CTL every default_crl_days, the CRL expires and then freeradius won't auth anything at all. So, I thought - why should I set the default_crl_days to some low number. I assume that it [the CRL] can be replaced with a "new" CRL, should we need one, long before the default_crl_days limit is reached. Is that correct? So, if that's the case, what would be the downside of making the default_crl_days equal to the validity of the CA itself, for example? [e.g. If the CA cert is valid for 100 years, why not set the default_crl_days to 36500+/- days too?] I assume there's some other use, other than EAP-TLS, where doing this might be a bad plan, but I'm afraid I can't think of one in the EAP-TLS context with FreeRadius. Am I missing something? [And I'd be glad to be pointed to another context, if there is one, where setting a very long-ish default_crl_days would be bad - even if it's fine in the setting I'm discussing. Knowing would be good education.] TIA -Greg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
