diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml
index 4ce2e666..5e48b1da 100644
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@@ -246,6 +246,10 @@
         issuer:
           CN: "{{ IP_subject_alt_name }}"
         revoked_certificates: "{{ revoked_certificates }}"
+
+    - name: Set CRL file permissions
+      file:
+        path: "{{ ipsec_pki_path }}/crl.pem"
         mode: "0644"
   delegate_to: localhost
   become: false
diff --git a/tests/unit/test_openssl_compatibility.py b/tests/unit/test_openssl_compatibility.py
index 2db4a976..a7e6f1b6 100644
--- a/tests/unit/test_openssl_compatibility.py
+++ b/tests/unit/test_openssl_compatibility.py
@@ -10,6 +10,7 @@ import os
 import re
 import subprocess
 import sys
+from datetime import UTC
 
 from cryptography import x509
 from cryptography.x509.oid import ExtensionOID, NameOID
@@ -423,8 +424,8 @@ def validate_certificate_chain_real(cert_files):
         assert certificate.issuer == ca_certificate.subject, f"Certificate {cert_path} not signed by CA"
 
         # Verify certificate is currently valid (not expired)
-        from datetime import datetime, timezone
-        now = datetime.now(timezone.utc)
+        from datetime import datetime
+        now = datetime.now(UTC)
         assert certificate.not_valid_before <= now, f"Certificate {cert_path} not yet valid"
         assert certificate.not_valid_after >= now, f"Certificate {cert_path} has expired"
 
diff --git a/uv.lock b/uv.lock
index 5aec38cd..07765976 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1,6 +1,6 @@
 version = 1
 revision = 2
-requires-python = ">=3.10"
+requires-python = ">=3.11"
 
 [[package]]
 name = "algo"