On Thu, 23 Feb 2023 20:50:49 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hi, > >------- Original Message ------- >On Thursday, February 23rd, 2023 at 17:34, David Sommerseth ><dazo+open...@eurephia.org> wrote: > >> On 23/02/2023 17:43, Bo Berglund wrote: >> > ><Large-snip> > >Note: The suggestions made by David Sommerseth above are also very useful. > > >> > Questions: >> > >> > Can I extend the expiration time of my server and the cleints too before >> > actual >> > expiration such that this will not happen on Oct 24, 2027? >> >> >> Yes, you can issue new certificates using the same private and public >> keys (essentially re-using the CSR). This will issue a new certificate >> with a new expiry date. Since the certificate and CA is the same, it >> just works as before. >> > >Yes, again with easyrsa: > > easyrsa [optional: --days=3650] renew <server/client-name> > >This will create a new certificate from the original signing request. How is the new crt file named? Or is the old overwritten? >This renewed certificate uses the original entity private key. This expiration business, does it apply only to crt files? With all other files remaining the same over time? >Make sure that you use EasyRSA version 3.1+, otherwise 'renew' will >not use the original key. Which means you also have to distribute >that entity NEW private key over a secure medium. > I have used easy-rsa2 since I started with OpenVPN 10 years ago and I have made a script that eases the manufacture of client OVPN fiiles using the easy-rsa2 command scripts. Currently I have 7 VPN servers in 5 locations running on RaspberryPi and linux boxes. All basically set up the same way and using easy-rsa2. They are closing in on the 10-year expiration now so I think I need to "do something". Given that I have the easy-rsa setup with existing crt, csr, key, 3des.key and pem files in the keys subdir to easy-rsa, what is the best way to convert to using easy-rsa3? I had a brief look at version 3 but did not understand how to use it in my own environment, especially how I would convert my makeclient script, so I kept the old version 2... I guess I have to convert to 3 now, so can I use the same keys directory as with easy-rsa2 (rather a copy)? It holds *all* the crypto files created except for the client ovpn files. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
