[strongSwan] How does strongswan handle renewed or expired CRLs?

Tobias Brunner tobias at strongswan.org
Fri Apr 1 12:05:38 CEST 2022

Hi Harri,

> Apparently certificate revocation lists have an expiration date. AFAIU
> this is the maximum time a CRL should be cached.

Technically, it's the date by which the next CRL will be issued.  A CRL 
is considered valid until that date.

> I had revoked a few road-warrior certificates and put a new CRL on
> my web server within this grace period, but strongswan refused to
> check the URL for an update, as Apache's access.log shows.

strongSwan only checks the URL if no valid CRL is found locally. 
Either manually installed or cached (in-memory and, if charon.cache_crls 
and/or cachecrls in config setup is enabled, on disk).

> Even on
> "ipsec rereadcrls" the new CRL was ignored.

This reads CRLs from /etc/ipsec.d/crls, nothing else.  To flush the 
in-memory cache use `ipsec purgecrls` (CRLs cached on disk have to be 
deleted manually from the directory above, note that that requires a 

> And a related question: Do I have to assume that all road-warrior
> certificates become unusable, if the CRL mentioned in the certificates
> expires?

Only if strictcrlpolicy is enabled (revocation in swanctl.conf).


More information about the Users mailing list