<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/migration-scripts/pki, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-05-13T16:52:04+00:00</updated>
<entry>
<title>T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation</title>
<updated>2026-05-13T16:52:04+00:00</updated>
<author>
<name>Nataliia Solomko</name>
<email>natalirs1985@gmail.com</email>
</author>
<published>2026-05-13T14:10:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd'/>
<id>urn:sha1:0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd</id>
<content type='text'>
Previously generated CRLs were missing the Authority Key Identifier and
CRL Number extensions required by strongSwan for certificate revocation
validation. Without these extensions, strongSwan silently ignores the CRL,
allowing revoked certificates to authenticate successfully.
The migration regenerates existing CRLs for all CAs that have a private
key available. CAs with passphrase-protected keys are skipped with a
warning, as the passphrase cannot be provided non-interactively
</content>
</entry>
</feed>
