I have downloaded easy-rsa3 version to my OpenVPN server for testing. I did so using wget on the v3.1.2/EasyRSA-3.1.2.tgz file below Releases at GitHub.
When I read the vars.example file I see that most of what I had to do in the vars file before is not really needed anymore. :-) But there are a couple of things regarding certs I don't understand fully so would like to get explained: # In how many days should the root CA key expire? # #set_var EASYRSA_CA_EXPIRE 3650 Obviously based on earlier discussions here about looming expirations I would like to do this to raise the time to 20 years: set_var EASYRSA_CA_EXPIRE 7300 However, the following seems also to be involved with expirations but I don't know for sure what to do... Do I need to also set these to 7300 to get a 20 yesr "working time"? # In how many days should certificates expire? # #set_var EASYRSA_CERT_EXPIRE 825 # How many days until the next CRL publish date? Note that the CRL can still # be parsed after this timeframe passes. It is only used for an expected next # publication date. # #set_var EASYRSA_CRL_DAYS 180 Isn't the last one dealing with client cert revocations? Does it imply some automatic renewal of the revocations such that one does not have to build and copy a new crl file every now and then even if no new user logins have to be revoked to keep the server operational at all? In easy-rsa2 there was no way to update a crl file without also revoking an additional user and the whole server locked up after a very short time of a month or so..... I had to disable crl handling for that very reason.... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
