Indeed the ca-crl-host only makes sense if it is part of the CA certificate. Talking about that, a CRL on a private address also only makes sense in a limited number of real life scenarios.
So apart from fixing a documentation bug (which requires to file a ticket at https://help.mikrotik.com/servicedesk/servicedesk/customer/user/login?destination=portals rather than just placing a rhetorical question here on the forum), do you really need a CRL? I can only imagine one scenario where it would help - if someone got hold of the private key of your VPN server certificate and managed to redirect clients’ requests towards your fqdn or even IP address through their server, so they could harvest the credentials of your VPN users. Is the probability that such a scenario happens high enough to justify for the burden of having a CRL reachable from the internet? If yes, it still seems more logical to me to make the clients authentificate themselves using certificates rather than username&password, and of course let them properly generate private keys and CSRs and just sign the latter using the CA rather than creating the complete certificates including the private keys for them centrally.
@sindy
Was that really useful? > (rather than just placing a rhetorical question here on the forum)
I don’t know why you’re being so nasty. I couldn’t remember why I left the Mikrotik forum. It just came back to me.
OK. So shall I get it that all you took from my whole post is that I’ve suggested you to send your valid concern where it will be handled in a form you perceive as offending? Can you imagine how many people believe that Mikrotik support staff reads every single post on the forum? How could I know you are not one of them?
@Sindy, your answer on the first line was perfect. Thank you! But I don’t understand this useless little remark and even if I am or am not a lambda user.
Because when I posted, I didn’t know if it was a mistake or not.
@Antho01010
did you come by other MT forum users yet?
sindy is one of the members really taking time and care of explaining points - jump around this forum and look out for “the cat” and i wonder how you would react to some of that answers …
this forum has some helpful and really valuable posts - but also, it is a forum … there are many nosey and grumpy people around here too. welcome to the internet ;-D
I’m not taking anything away from the Mikrotik forum or even from Sindy. You know, I don’t think we have to put up with people’s moods and personalities. If we don’t like it, we should say so. And if we’re not happy, we leave.
Now, I don’t understand the meaning of unnecessary remarks.
And if you find that “le chat” has answers that can make people react, it’s because you’re not right.
Then you have to pay attention to the translation ^^
