Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate Revocation List Max. Lifetime

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      I haven't tested larger values these days but once upon a time the library used to handle CRLs didn't like large lifetimes. Even so, the likelihood of needing a CRL lifetime longer than 27 years seem questionable.

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 1
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Really with all the new limits being reduced... 398 is prob the longest you should be able to create a cert for.. If new cert and longer than that your browser will balk at you.. If you have current browser, etc.

        https://support.apple.com/en-us/HT211025

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • RicoR
          Rico LAYER 8 Rebel Alliance
          last edited by

          Thanks for your answers. As I said, just asking for my understanding...
          BTW, e.g. OpenVPN does not really care about Cert lifetimes AFAIK.
          Lets assume I'd revoke a 36500 days lifetime User Cert used in OpenVPN. He would be able to login again after 10000 days and I couldn't do anything about it besides creating a new CA? Only talking about the Certs part here, not disabling the User account and so on...

          -Rico

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @Rico said in Certificate Revocation List Max. Lifetime:

            He would be able to login again after 10000 days

            So in 27 years ;) You think that will be an issue?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            RicoR 1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              You'd have to check it to try but I would hope that when testing against an expired CRL, it would fail to validate anything because the CRL itself no longer validates.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • RicoR
                Rico LAYER 8 Rebel Alliance @johnpoz
                last edited by

                No, in 27 years I'm retired anyway @johnpoz โ˜บ
                @jimp I'm going to try this, thanks.

                How does the Lifetime even start counting? CRL creation date? CA "Valid From"? Cert "Valid From"?
                I can't find anything related in the docs. ๐Ÿ˜Œ

                Small offtopic: And what's the point of creating multiple CRLs for the same CA?

                Thanks again guys. ๐Ÿ˜Š

                -Rico

                jimpJ 1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate @Rico
                  last edited by

                  @Rico said in Certificate Revocation List Max. Lifetime:

                  How does the Lifetime even start counting? CRL creation date? CA "Valid From"? Cert "Valid From"?

                  The life of the CRL itself. It isn't related in any way to the life of the CA or certs.

                  I can't find anything related in the docs.

                  That would be in OpenSSL docs (or general x.509 docs)

                  Small offtopic: And what's the point of creating multiple CRLs for the same CA?

                  You might be using multiple OpenVPN instances and revoke a cert from one but not the other. Not a great way to segment but still a valid use case.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 1
                  • RicoR
                    Rico LAYER 8 Rebel Alliance
                    last edited by

                    I still feel stupid about the CRL part.
                    With a new CRL created I only see

                    	<crl>
                    		<refid>5e87623f8cd1e</refid>
                    		<descr><![CDATA[test_ca_crl]]></descr>
                    		<caref>5e8761f2c85ec</caref>
                    		<method>internal</method>
                    		<serial>9999</serial>
                    		<lifetime>1</lifetime>
                    	</crl>
                    

                    How does the CRL know the creation time?

                    -Rico

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Every time the firewall refreshes the CRL it makes a new copy with the lifetime starting at that point.

                      To check the start/end time you'd need to get the text of the CRL and run it through OpenSSL to dump the properties.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • RicoR
                        Rico LAYER 8 Rebel Alliance
                        last edited by

                        So with a lifetime set to 9999 days every firewall reboot or hitting the "Export CRL" button (WebGUI) would reset the lifetime back to 9999 ?

                        -Rico

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Any time anything refreshes the CRL, including OpenVPN or IPsec restarts, changes to the CRL, etc.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 1
                          • RicoR
                            Rico LAYER 8 Rebel Alliance
                            last edited by

                            Thank you for clearing that up.

                            -Rico

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.