Hi, On Thu, Jul 22, 2021 at 3:40 AM Ralf Hildebrandt < ralf.hildebra...@charite.de> wrote:
> * Bo Berglund <bo.bergl...@gmail.com>: > > On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt > > <ralf.hildebra...@charite.de> wrote: > > > > >But how do I do this? Can I make openvpn accept client certificates > > >from two CAs (the old and the new one)? > > > > Why using a new certificate? > > I need a new CA due to the german BSI crypto regulations (RSA 2048 is > not enough) > > The usual approach for updating CA would be to use cross-signed (or link) certificates. I haven't tried it with OpenVPN, but here is a thought: First update the server cert signed by the new CA but include a link cert for the new CA signed by the old CA. That will make it possible for clients to still verify the new server cert. Change the CA cert on the server to a stack of old and new CA. Then gradually update the cert and ca on clients to the new one (new CA only not old+new). When all clients are updated remove the old CA cert and the link cert on the server. Totally untested. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
