On Fri, 24 Feb 2023 11:05:57 +0100, Gert Doering <g...@greenie.muc.de> wrote:
>Hi, > >On Fri, Feb 24, 2023 at 10:58:06AM +0100, Bo Berglund wrote: >> And why is there an expiration of the crl file to begin with? > >I explained that, but that mail seems to have been lost - it's because >the assumption of the security folks (outside OpenVPN control) is that >*if* you have a CRL, you want that CRL to be up-to-date at all times. > >The assumption is "if something in the CRL producing process fails, and >no new CRL can be generated, better assume that everything should be >disallowed than let someone unauthorized in". > So that would mean that I have to basically: - Symlink the crl file to the /etc/openvpn/keys dir: sudo ln -sf /usr/local/share/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/keys/crl.pem - Create a script that refreshes the crl file - Run that from cron at an interval that is less than the expire time However, I have not seen a command to actually *refresh* the crl.pem file just to add new revoked client... The script to "refresh" the crl.pem file: ----------- #!/bin/bash cd /usr/local/share/openvpn/easy-rsa source vars ./revoke-full <what do I put here to just refresh the pem file?> exit 0 ----------- I tried "revoke-full" without argument but it showed an error... Is there an openssl command to just refresh the file's expire date? I tried to read the expire date of the pem file like I can a crt file but failed, is there a command to do so? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
