This script helps to regenerate CRL whenever is expires. Copy it into the Easy-RSA root, e.g. /etc/openvpn/easy-rsa and use it like the all other Easy-RSA scripts:
# source vars
# ./regen-crlTo run it automagically at every day, just put this into /etc/cron.daily:
#!/bin/bash
cd /etc/openvpn/easy-rsa
source vars
./regen-crlAnd that's all!
This script and its documentation is licensed under the terms of Creative Commons BY-SA 4.0 license.
Copyright © Gabor Garami 2020
| #!/bin/sh | |
| ## Copyright (c) Gabor Garami 2020 | |
| CRL="crl.pem" | |
| RT="revoke-test.pem" | |
| if [ "$KEY_DIR" ]; then | |
| cd "$KEY_DIR" | |
| rm "$RT" | |
| export KEY_CN="" | |
| export KEY_OU="" | |
| export KEY_NAME="" | |
| # required due to hack in openssl.cnf that supports Subject Alternative Names | |
| export KEY_ALTNAMES="" | |
| # generate a new CRL -- try to be compatible with | |
| # intermediate PKIs | |
| $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" | |
| if [ -e export-ca.crt ]; then | |
| cat export-ca.crt "$CRL" >"$RT" | |
| else | |
| cat ca.crt "$CRL" >"$RT" | |
| fi | |
| else | |
| echo 'Please source the vars script first (i.e. "source ./vars")' | |
| echo 'Make sure you have edited it to reflect your configuration.' | |
| fi |