From 0284f31bb99bbe2fad9fda9cf99d73e4fa3d2dfd Mon Sep 17 00:00:00 2001 From: Nataliia Solomko Date: Wed, 13 May 2026 17:10:46 +0300 Subject: T8492: CRL generated by VyOS PKI lacks X.509 extensions required for strongSwan validation Previously generated CRLs were missing the Authority Key Identifier and CRL Number extensions required by strongSwan for certificate revocation validation. Without these extensions, strongSwan silently ignores the CRL, allowing revoked certificates to authenticate successfully. The migration regenerates existing CRLs for all CAs that have a private key available. CAs with passphrase-protected keys are skipped with a warning, as the passphrase cannot be provided non-interactively --- python/vyos/pki.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'python') diff --git a/python/vyos/pki.py b/python/vyos/pki.py index 4598c5daa..17fa97223 100644 --- a/python/vyos/pki.py +++ b/python/vyos/pki.py @@ -207,7 +207,16 @@ def create_certificate_revocation_list(ca_cert, ca_private_key, serial_numbers=[ builder = x509.CertificateRevocationListBuilder() \ .issuer_name(ca_cert.subject) \ .last_update(datetime.datetime.today()) \ - .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0)) + .next_update(datetime.datetime.today() + datetime.timedelta(1, 0, 0)) \ + .add_extension(add_key_identifier(ca_cert), critical=False) \ + .add_extension( + x509.CRLNumber( + int( + datetime.datetime.now(datetime.timezone.utc).timestamp() * 1_000_000 + ) + ), + critical=False, + ) for serial_number in serial_numbers: revoked_cert = x509.RevokedCertificateBuilder() \ -- cgit v1.2.3