From: Tobias Heider <tobias.heider@stusta.de>
Subject: Re: ikectl revoke: do not hardcode crl lifetime
To: Pascal Stumpf <pascal@stumpf.co>
Cc: tech@openbsd.org
Date: Thu, 12 Dec 2024 13:36:48 +0100

On Wed, Nov 27, 2024 at 04:59:49PM GMT, Pascal Stumpf wrote:
> CRL lifetime is supposedly configurable via ikeca.cnf.  However, the
> default "revoke" command in ikectl overrides this to 365 days.
> 
> ok?

Looks correct, thanks! ok tobhe@

> 
> 
> Index: ikeca.c
> ===================================================================
> RCS file: /home/cvs/src/usr.sbin/ikectl/ikeca.c,v
> diff -u -p -r1.51 ikeca.c
> --- ikeca.c	23 Jan 2021 22:04:55 -0000	1.51
> +++ ikeca.c	25 Nov 2024 16:49:26 -0000
> @@ -1034,7 +1034,7 @@ ca_revoke(struct ca *ca, char *keyname)
>  		err(1, "%s: snprintf", __func__);
>  	char *cmd[] = { PATH_OPENSSL, "ca", "-config", ca->sslcnf,
>  	    "-keyfile", cakey, "-passin", ca->passfile, "-gencrl",
> -	    "-cert", cacrt, "-crldays", "365", "-out", path, ca->batch, NULL };
> +	    "-cert", cacrt, "-out", path, ca->batch, NULL };
>  	ca_execv(cmd);
>  
>  	return (0);
>