On Fri, Nov 14, 2025 at 04:56:34PM -0500, Christopher Sean Hilton wrote: > On Fri, Nov 14, 2025 at 04:23:21PM -0500, Chris Hilton wrote: > > I have a pair of servers, both running OpenBSD 7.6 that have a shared ikev2 > > vpn via > > iked. This is working great in fact it's working better than I expect it > > to. I've noticed > > two issues: > > > > * The certificates in my VPN expired about a month ago but the VPN keeps > > renegotiating. I > > stopped iked on one side for about an hour today and after I restarted > > it, the VPN had no > > trouble restarting. > > > > * Running `ikectl ca my-vpn-ca certificate my-host create` throws an error > > indicating that > > the certificate already exists. In fact it does but the certificate that > > it cites is the > > expired one. > > > > Please forgive my question if these two issues have been addressed since > > OpenBSD 7.6 became > > stale. > > > > > > > To follow-up with the actual error message: > > ERROR:There is already a certificate for /C=US/ST=... > The matching entry has the following details > Type :Valid > Expires on :250920224627Z > Serial Number :04 > > Note well that when assume that the date give is seconds since 01/01/1970 and > I do this: > > $ date -r 250920224627 > Sat May 7 02:23:47 EDT 9921 > > I'm assuming that I'm missing something on the date format?
UTCTime has formt YYMMDDHHMMSSZ, expired on Sep 20, 2025, at 22:46:27 UTC https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.5.1
