Hi,
because you state that you have only three clients to maintain I would
recommend you you update your EasyRSA to version 3:
https://github.com/OpenVPN/easy-rsa/releases
A lot of work has gone into this, including new recommended security
settings and other functionality.
There is no specific update path from EasyRSA 2.x to 3.x but you should
have no trouble making the change. Be sure to backup your current PKI.
Regards
On 11/03/2019 14:55, Bonno Bloksma wrote:
Hi,
Got bitten (twice) with the problem that the new OpenVPN version DEMANDS an
up2date CRL file. However, I am still using easyrsa v2.2 and it has no gen-crl
command.
I created a copy of revoke-full and deleted the revoke stuff so it just creates
a new crl file.
So far, that works. But..... this crl is only valid for one month, how do I
create one that is valid for a looong time?
What do I need to change in this line?
$OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
ror the crl file to be valid for something like 5 years?
I have almost no key updates, this is a static environment with currently just
3 links, so just a few keys/certs that will never change. I control all clients
so I could even just delete a key on the client if I don't want to use it
anymore.
Only when I suspect some foul play would I ever need to revoke a key.
Bonno Bloksma
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
