Hello everyone, I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit one without a hassle for a clients. From a X.509 perspective it shouldn't be a problem, and I already have new CA self-signed and cross-signed with old CA, it should work just fine.
While there's no problem authenticating clients from both old and new CA using single instance (multiple certificates in --ca are supported, this information is documented), I need to send two certificates from OpenVPN server: server certificate, which is signed by new CA, and cross-signed new CA with old CA. This way it should work for clients either with old or new CA in configuration files. I can't manage server to send more than one certificate to the client. It seems that multiple certificates in --cert directive are supported only on client side. Am I missing something, is there a way to push multiple certificates from server? If there isn't a way currently, are there any protocol limitations which allows only one certificate to be sent?
signature.asc
Description: OpenPGP digital signature
