I am currently experimenting with my self signed CA.
But in order for my devices to work I need a valid CRL.
I set the CDP to one of the CDN hosting providers.
As I have only 5 certificates issued I have little chance of getting one of them revoked, so I would like to issue a long validity CRL and update it as I need it.
How can I do that with OpenSSL and how is the default expiration calculated?
I see that the crlnumber file increases and certutil displays something like
Base CRL(1014) time:11
Best Answer
The default is 30 days.
To change the nextUpdate field, you may use the -crldays option of the openssl ca command like this :
If you don't want to specify this every time the CRL is generated, you can change this in openssl.cnf via "default_crl_days= 30" (this is the default setting) and then change it to whatever you want.