EAP-TLS - CRL Checking - Expired?
We're using FreeRadius as the EAP server in a wireless environment. All clients have smart cards, so as such we're using EAP-TLS. My question is in relation to CRL checking. I currently download CRLs nightly, but over the weekend it looks like perhaps the CRL download failed as nobody could connect, and in the logs is a series of errors like: Error: --> verify error:num=12:CRL has expired What determines the expire time of a CRL? I noticed that within the CRL there is a Next Update field.. is this what it uses?
"Stephen Bowman" <stephenbb@gmail.com> wrote:
What determines the expire time of a CRL?
No idea... it's an OpenSSL thing. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Stephen Bowman wrote:
What determines the expire time of a CRL?
I noticed that within the CRL there is a Next Update field.. is this what it uses?
yes. You will probably want to make sure that you generate and distribute new CRLs on a schedule that leaves you with enough time to detect/correct failures before hitting the previous CRL's NextUpdate. --ben
participants (3)
-
Alan DeKok -
Benjamin Bennett -
Stephen Bowman