On Thu, 23 Feb 2023 18:34:11 +0100, David Sommerseth <dazo+open...@eurephia.org> wrote:
>Yes, you can issue new certificates using *the same* private and public >keys (essentially re-using the CSR). This will issue a new certificate >with a new expiry date. Since the certificate and CA is the same, it >just works as before. > Are most files used in this context NOT stamped with an expiration date? I.e. does only .crt files have expiration times? In that case I would only need to handle the ca.crt for expiration, right? I was afraid that I need to handle all of the files in the keys dir and then if I screw up I have a non-working VPN server... Well, in actual fact I have *copied* these files from the easy-rsa/keys dir into /etc/openvpn/keys: ca.crt ca.key dh2048.pem server.crt server.key ta.key so a screwup is not detected until I copy the modified file(s) into the active server keys directory. Therefore a backup of these files will be able to restore earlier functionality... Is ca.crt the only one I need to worry about? When the client ovpn files are created the content comes from these in the easy-rsa/keys dir: ca.crt ta.key clientcommonname.crt clientcommonname.3des.key These files are also created but not used in the ovpn files: clientcommonname.key clientcommonname.csr And and the data from the files are placed inside sections in the client ovpn files: <ca> ca.crt <tls-auth> ta.key <cert> clientcommonname.crt <key> clientcommonname.3des.key Question: --------- Is any part of the ovpn files affected if I update the main ca.crt file? I.e. does an ovpn file depend on having been created after the ca.crt has gotten its expiration extended? Then I would have to recreate all of them and update the clients too, right? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
