Once a CRL, Always a CRL?

[Kevin K]

I wanted to practice using a CRL, to ensure I knew how it worked. So I put a CRL in the "Certificate Revocation List (Optional)" field of OpenVPN setup. It blocked the certificate, as expected.

Then, I rebuilt my OpenVPN setup from scratch with a new CA. Since I didn't have any certs to revoke, I left "Certificate Revocation List (Optional)" empty. But the firmware insists on adding "crl-verify crl.pem" to my config.ovpn file and all my connections fail until I expire a certificate.

It looks like once a CRL is used it cannot be cleared via the UI. How do I tell it I've rebuilt everything and I no longer want to provide a CRL?

 

[L&LD]

How did you rebuild the OpenVPN instance?

 

[Fitz Mutch]

Whenever I make a new root CA, the first thing is to create a dummy cert and revoke it. Now the CRL is non-empty and it will work.

 

[Kevin K]

How did you rebuild the OpenVPN instance?

I pressed Default and then Apply on the main VPN window, after emptying the fields in the Keys and Certification window. I also tried doing that and deleting the files in /etc/openvpn/server1.

I'm aware that I can create a valid CRL and paste it. I'd like to find some way to set OpenVPN back to its original state, short of loading factory defaults for the entire router. Not truly getting back to the initial state for OpenVPN prevents good QA of any related tutorial/doc I write.

It isn't a deal killer. But if I failed to set OpenVPN back to its 'clean' state and there's a way to do that (without factory-defaulting the entire router), I'd like to learn it.

I did check these nvram variables, and they are empty:

• vpn_crt_server1_crl
• vpn_crt_server2_crl
  

 

[Fitz Mutch]

I'd like to find some way to set OpenVPN back to its original state, ...

On my router, the OpenVPN server certs are stored here:
/jffs/openvpn