From a441bae6263c71d514bcecd970f45345bfea2080 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Sat, 1 Sep 2018 23:34:06 +0300
Subject: dmvpn-ca: issue new CRL before expiry

---
 dmvpn-ca      | 3 ++-
 dmvpn-ca.conf | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dmvpn-ca b/dmvpn-ca
index a507941..7e1b122 100755
--- a/dmvpn-ca
+++ b/dmvpn-ca
@@ -731,7 +731,8 @@ end
 
 function get_crl()
 	local row = select_one('expires, data', 'crl', nil, 'n')
-	return row and row[1] > now and x509crl.new(row[2]) or generate_crl()
+	return row and now < row[1] - config.crl.renewal and x509crl.new(row[2])
+		or generate_crl()
 end
 
 
diff --git a/dmvpn-ca.conf b/dmvpn-ca.conf
index 15dd39a..ffe6cc6 100644
--- a/dmvpn-ca.conf
+++ b/dmvpn-ca.conf
@@ -18,4 +18,5 @@ hub:
 
 crl:
   dist-point: 'http://example.com/dmvpn-ca.crl'
-  lifetime: 60
+  lifetime: 90
+  renewal: 30
-- 
cgit v1.2.3