[I just realized I failed to post this to the list and only to Bonno. Sorry Bonno, you'll get it twice now! :) ]
Probably not the answer you're looking for - but I gave up on EasyRSA a while ago. [It's unevenly updated, had serious problems, was concerned about the default key security (in an earlier version), etc.] I simply use GNUTLS now - and it will generate certs for all kinds of things. It's kind of a middle ground between EasyRSA and using OpenSSL tools bare. The first is nice, but severely limited. The second is, frankly, nuts. [IMO] I've create some batch-scripts and I can crank out 30 or 100 keys/certs really quickly. [Not easy using EasyRSA.] I typically use under Windows, rather than *nix - but it would be easy to transform the scripts to bash, I think. [And probably be a heck of a lot more elegant, since DOS suck at scripting so badly. (Yeah I could use PS, but that adds a level of complexity I didn't need.)] I'd be glad to share, if it's something someone's interested in. It will take a little clean-up - but no too much. --- As an aside and more to the point, there's a expiry date on CRL's too - and it looks like you're running into an expired CRL. In OVPN setups, I typically use something like CA/Cer/Key all expire in 10Y or 3650 Days]. The CRL expires in 10Y+1D or 3651 Days. [The CRL may/will outlive the cert/key/ca - but that's fine.] I think there's a config option in the $KEY_CONFIG to set that - but it's been ages since I tinkered with OpenSSL directly. [And I get confused/lost/lose-interest in the man page in about 12 seconds.] Cheers! -Greg BB> Hi, BB> Got bitten (twice) with the problem that the new OpenVPN version BB> DEMANDS an up2date CRL file. However, I am still using easyrsa BB> v2.2 and it has no gen-crl command. BB> I created a copy of revoke-full and deleted the revoke stuff so it just creates a new crl file. BB> So far, that works. But..... this crl is only valid for one BB> month, how do I create one that is valid for a looong time? BB> What do I need to change in this line? BB> $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" BB> ror the crl file to be valid for something like 5 years? BB> I have almost no key updates, this is a static environment with BB> currently just 3 links, so just a few keys/certs that will never BB> change. I control all clients so I could even just delete a key on BB> the client if I don't want to use it anymore. BB> Only when I suspect some foul play would I ever need to revoke a key. BB> Bonno Bloksma
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
