Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate Revocation List Max. Lifetime

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Really with all the new limits being reduced... 398 is prob the longest you should be able to create a cert for.. If new cert and longer than that your browser will balk at you.. If you have current browser, etc.

      https://support.apple.com/en-us/HT211025

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 1
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Thanks for your answers. As I said, just asking for my understanding...
        BTW, e.g. OpenVPN does not really care about Cert lifetimes AFAIK.
        Lets assume I'd revoke a 36500 days lifetime User Cert used in OpenVPN. He would be able to login again after 10000 days and I couldn't do anything about it besides creating a new CA? Only talking about the Certs part here, not disabling the User account and so on...

        -Rico

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          @Rico said in Certificate Revocation List Max. Lifetime:

          He would be able to login again after 10000 days

          So in 27 years ;) You think that will be an issue?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          RicoR 1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You'd have to check it to try but I would hope that when testing against an expired CRL, it would fail to validate anything because the CRL itself no longer validates.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • RicoR
              Rico LAYER 8 Rebel Alliance @johnpoz
              last edited by

              No, in 27 years I'm retired anyway @johnpoz โ˜บ
              @jimp I'm going to try this, thanks.

              How does the Lifetime even start counting? CRL creation date? CA "Valid From"? Cert "Valid From"?
              I can't find anything related in the docs. ๐Ÿ˜Œ

              Small offtopic: And what's the point of creating multiple CRLs for the same CA?

              Thanks again guys. ๐Ÿ˜Š

              -Rico

              jimpJ 1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate @Rico
                last edited by

                @Rico said in Certificate Revocation List Max. Lifetime:

                How does the Lifetime even start counting? CRL creation date? CA "Valid From"? Cert "Valid From"?

                The life of the CRL itself. It isn't related in any way to the life of the CA or certs.

                I can't find anything related in the docs.

                That would be in OpenSSL docs (or general x.509 docs)

                Small offtopic: And what's the point of creating multiple CRLs for the same CA?

                You might be using multiple OpenVPN instances and revoke a cert from one but not the other. Not a great way to segment but still a valid use case.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 1
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  I still feel stupid about the CRL part.
                  With a new CRL created I only see

                  	<crl>
                  		<refid>5e87623f8cd1e</refid>
                  		<descr><![CDATA[test_ca_crl]]></descr>
                  		<caref>5e8761f2c85ec</caref>
                  		<method>internal</method>
                  		<serial>9999</serial>
                  		<lifetime>1</lifetime>
                  	</crl>
                  

                  How does the CRL know the creation time?

                  -Rico

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Every time the firewall refreshes the CRL it makes a new copy with the lifetime starting at that point.

                    To check the start/end time you'd need to get the text of the CRL and run it through OpenSSL to dump the properties.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      So with a lifetime set to 9999 days every firewall reboot or hitting the "Export CRL" button (WebGUI) would reset the lifetime back to 9999 ?

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Any time anything refreshes the CRL, including OpenVPN or IPsec restarts, changes to the CRL, etc.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 1
                        • RicoR
                          Rico LAYER 8 Rebel Alliance
                          last edited by

                          Thank you for clearing that up.

                          -Rico

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.