CRL Expiration

I have my own root certificate authority that I use to sign my personal SSL certificates (for my Exchange server, other internal web servers, etc.)  I’ve noticed that I’ve been getting warnings in Google Chrome, that the browser is unable to check the CRL (Certificate Revocation List).  To my knowledge, the CRL is basically just a list of certificates that have been revoked, that is signed by the CA, and stored in some accessible location (like on a web server).  These errors were confusing however, because I do have a CRL published where the SSL certs say it is, and the browser is able to fetch the CRL file stored there.  Being the perfectionist that I am, I had to solve this problem.

After looking into file extensions, MIME types, making the location accessible from the Internet, I was looking through my OpenSSL configuration and came across this line:

default_crl_days= 365                   # how long before next CRL

I had never generated a new CRL since when I tested it initially when set up all of my internal PKI stuff.  (I have maybe 15 SSL certs, all of which are on systems I control, so I’ve never had a reason to revoke one for real).  So, it was a couple years old at this point.  I regenerated the CRL, published it at the right location, and cleared the cache in Chrome.  After doing that, the CRL warning went away.

Not sure how I would have learned this had I not come across that line in the config.  You learn something new every day. 🙂

Comments are closed.