Certificate Revocation List Max. Lifetime
-
Hi,
more like a hypothetical question but asking for my understanding.
Why is the CRL lifetime limited to 9999 days?
It's no problem to create Certs or CAs with a 36500 day or more lifetime.-Rico
-
I haven't tested larger values these days but once upon a time the library used to handle CRLs didn't like large lifetimes. Even so, the likelihood of needing a CRL lifetime longer than 27 years seem questionable.
-
Really with all the new limits being reduced... 398 is prob the longest you should be able to create a cert for.. If new cert and longer than that your browser will balk at you.. If you have current browser, etc.
https://support.apple.com/en-us/HT211025
-
Thanks for your answers. As I said, just asking for my understanding...
BTW, e.g. OpenVPN does not really care about Cert lifetimes AFAIK.
Lets assume I'd revoke a 36500 days lifetime User Cert used in OpenVPN. He would be able to login again after 10000 days and I couldn't do anything about it besides creating a new CA? Only talking about the Certs part here, not disabling the User account and so on...-Rico
-
@Rico said in Certificate Revocation List Max. Lifetime:
He would be able to login again after 10000 days
So in 27 years ;) You think that will be an issue?
-
You'd have to check it to try but I would hope that when testing against an expired CRL, it would fail to validate anything because the CRL itself no longer validates.
-
No, in 27 years I'm retired anyway @johnpoz
@jimp I'm going to try this, thanks.How does the Lifetime even start counting? CRL creation date? CA "Valid From"? Cert "Valid From"?
I can't find anything related in the docs.Small offtopic: And what's the point of creating multiple CRLs for the same CA?
Thanks again guys.
-Rico
-
@Rico said in Certificate Revocation List Max. Lifetime:
How does the Lifetime even start counting? CRL creation date? CA "Valid From"? Cert "Valid From"?
The life of the CRL itself. It isn't related in any way to the life of the CA or certs.
I can't find anything related in the docs.
That would be in OpenSSL docs (or general x.509 docs)
Small offtopic: And what's the point of creating multiple CRLs for the same CA?
You might be using multiple OpenVPN instances and revoke a cert from one but not the other. Not a great way to segment but still a valid use case.
-
I still feel stupid about the CRL part.
With a new CRL created I only see<crl> <refid>5e87623f8cd1e</refid> <descr><![CDATA[test_ca_crl]]></descr> <caref>5e8761f2c85ec</caref> <method>internal</method> <serial>9999</serial> <lifetime>1</lifetime> </crl>
How does the CRL know the creation time?
-Rico
-
Every time the firewall refreshes the CRL it makes a new copy with the lifetime starting at that point.
To check the start/end time you'd need to get the text of the CRL and run it through OpenSSL to dump the properties.
-
So with a lifetime set to 9999 days every firewall reboot or hitting the "Export CRL" button (WebGUI) would reset the lifetime back to 9999 ?
-Rico
-
Any time anything refreshes the CRL, including OpenVPN or IPsec restarts, changes to the CRL, etc.
-
Thank you for clearing that up.
-Rico