On Thu, 23 Feb 2023 17:43:15 +0100, Bo Berglund <bo.bergl...@gmail.com> wrote:
>Questions: > >Can I extend the expiration time of my server and the cleints too before actual >expiration such that this will not happen on Oct 24, 2027? > UPDATE (almost there): ---------------------- I found this forum post most useful: https://forums.openvpn.net/viewtopic.php?t=18671#p51517 So now I have tested these commands on my server in easy-rsa/keys: Making copy of ca.crt with 25 year expiration: $ openssl x509 -in ca.crt -days 9131 -out ca_25.crt -signkey ca.key Getting Private key Checking expiration of resulting key: $ openssl x509 -dates -noout -in ca_25.crt notBefore=Feb 25 20:47:36 2023 GMT notAfter=Feb 25 20:47:36 2048 GMT Checking an existing client cert using ca_25.crt: $ openssl verify -CAfile ca_25.crt JennyUbu.crt JennyUbu.crt: OK So it seems like the new crt file accepts the old existing client crt! NEXT TO DO?: ----------- I copy the ca_25.crt file to /etc/openvpn/keys dir and then edit the conf file for the services to use this new file as the ca entry like this: #ca /etc/openvpn/keys/ca.crt ca /etc/openvpn/keys/ca_25.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh2048.pem tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret And finally restart the openvpn services. Is this going to work or do I have to also process the cert entry (server.crt)?? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
