4

I am currently experimenting with my self signed CA.

But in order for my devices to work I need a valid CRL.

I set the CDP to one of the CDN hosting providers. As I have only 5 certificates issued I have little chance of getting one of them revoked, so I would like to issue a long validity CRL and update it as I need it.

How can I do that with OpenSSL and how is the default expiration calculated?

I see that the crlnumber file increases and certutil displays something like

Base CRL(1014) time:11
sebix
  • 4,175
  • 2
  • 25
  • 45
manatails
  • 127
  • 1
  • 3
  • 9
  • 1
    I'm not sure I'm understanding exactly what you want to do but default_crl_days is specified in the openssl.cnf and is 30 by default and can be passed as args to the 'openssl ca' command – Martin Mar 03 '15 at 23:52

1 Answers1

5

The default is 30 days.

To change the nextUpdate field, you may use the -crldays option of the openssl ca command like this :

openssl ca -gencrl -crldays 120 -config /path/to/openssl.conf -keyfile /path/to/private/key.file -passin pass:plaintextpassword -out /path/to/crl.pem

If you don't want to specify this every time the CRL is generated, you can change this in openssl.cnf via "default_crl_days= 30" (this is the default setting) and then change it to whatever you want.

Bruno Mairlot
  • 411
  • 3
  • 5