> So, if that's the case, what would be the downside of making the
> default_crl_days equal to the validity of the CA itself, for example?
> [e.g. If the CA cert is valid for 100 years, why not set the
> default_crl_days to 36500+/- days too?]
Because some clients won't ch
Hi Gregory,
> -Original Message-
> From: Gregory Sloop
[snip]
> So, I thought - why should I set the default_crl_days to some low
> number. I assume that it [the CRL] can be replaced with a "new" CRL,
> should we need one, long before the default_crl_days li
I don't claim any expertise in this area, but RFC 5280 5.1.2.5 seems pretty
clear:
5.1.2.5 Next Update
This field indicates the date by which the next CRL will be issued.
The next CRL could be issued before the indicated date, but it will
not be issued an
GS> So, I'm working with an EAP-TLS system running under freeradius.
GS> I've setup things to use a CRL [not OSCP] to revoke certificates and
GS> all works well.
GS> However, the parameter default_crl_days=XXX puzzles me.
GS> Through trial and error [mostly error]
GS> So, I'm working with an EAP-TLS system running under freeradius.
GS> I've setup things to use a CRL [not OSCP] to revoke certificates and
GS> all works well.
GS> However, the parameter default_crl_days=XXX puzzles me.
GS> Through trial and error [mostly error]
So, I'm working with an EAP-TLS system running under freeradius.
I've setup things to use a CRL [not OSCP] to revoke certificates and
all works well.
However, the parameter default_crl_days=XXX puzzles me.
Through trial and error [mostly error] I know that if I don't
regenerat
rds,
Lutz
- Forwarded message from Santhosh AP -
Reply-To: santhosh...@sifycorp.com
From: Santhosh AP
To: r...@openssl.org
Subject: default_crl_days= 365
Date: Tue, 19 Oct 2010 10:16:09 +0530
Thread-Index: ActvSItTKvsOwU5sQvG6vwyuLJ0ymA==
Hi Team,
We had 1x server in
Forwarded to openssl-users for discussion.
Best regards,
Lutz
- Forwarded message from Santhosh AP -
Reply-To: santhosh...@sifycorp.com
From: Santhosh AP
To: r...@openssl.org
Subject: default_crl_days= 365
Date: Tue, 19 Oct 2010 10:16:09 +0530
Thread-Index
-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Cleeland
> Sent: Monday, May 06, 2002 5:20 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Default_crl_days
>
>
> On Mon, 6 May 2002, Andrew T. Finnell wrote:
>
> > Nope we have our o
r 30 days is the default_crl_days
> which is why I thought it might have to do with that.
If you don't specify the number of days using -days, I believe it defaults to
30 days (as specified in openssl.cfg). Add "-days 365" to that command line
and the expiration should be a ye
Neff,
Nope we have our own script that just uses the openssl tool.
Basically we do .\openssl req -config openssl.cfg -newkey
dsa:dsaparam.pem -x509 -nodes -out cacert.pem -keyout cakey.pem In our
openssl.cfg file the only thing near 30 days is the default_crl_days
which is why I
Sorry, I'm assuming a Windows environment, and the
default file would be testss.bat, not makess.bat.
Sorry for the confusion.
Rob
-Original Message-
From: Neff Robert A [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 06, 2002 3:54 PM
To: '[EMAIL PROTECTED]'
Subject: RE: D
PROTECTED]]
Sent: Monday, May 06, 2002 3:37 PM
To: 'OpenSSL User'
Subject: Default_crl_days
We are having a problem with our certificates becoming invalid in 30
days for our custom application. I looked at the openssl.cfg file we use
when creating our self-CA and certificate/key pairs and the
We are having a problem with our certificates becoming invalid in 30
days for our custom application. I looked at the openssl.cfg file we use
when creating our self-CA and certificate/key pairs and the only thing
that stands out to me is default_crl_days being set to 30 days. Could
someone tell
14 matches
Mail list logo
