-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
------- Original Message ------- On Saturday, February 25th, 2023 at 21:12, Bo Berglund <bo.bergl...@gmail.com> wrote: > On Thu, 23 Feb 2023 17:43:15 +0100, Bo Berglund bo.bergl...@gmail.com wrote: > > > Questions: > > > > Can I extend the expiration time of my server and the cleints too before > > actual > > expiration such that this will not happen on Oct 24, 2027? > > > UPDATE (almost there): > ---------------------- > I found this forum post most useful: > https://forums.openvpn.net/viewtopic.php?t=18671#p51517 > > So now I have tested these commands on my server in easy-rsa/keys: > > Making copy of ca.crt with 25 year expiration: > > $ openssl x509 -in ca.crt -days 9131 -out ca_25.crt -signkey ca.key > Getting Private key > > Checking expiration of resulting key: > > $ openssl x509 -dates -noout -in ca_25.crt > notBefore=Feb 25 20:47:36 2023 GMT > notAfter=Feb 25 20:47:36 2048 GMT > > Checking an existing client cert using ca_25.crt: > > $ openssl verify -CAfile ca_25.crt JennyUbu.crt > JennyUbu.crt: OK > > So it seems like the new crt file accepts the old existing client crt! > > NEXT TO DO?: > ----------- > I copy the ca_25.crt file to /etc/openvpn/keys dir and then edit the conf file > for the services to use this new file as the ca entry like this: > > #ca /etc/openvpn/keys/ca.crt > ca /etc/openvpn/keys/ca_25.crt > cert /etc/openvpn/keys/server.crt > key /etc/openvpn/keys/server.key # This file should be kept secret > dh /etc/openvpn/keys/dh2048.pem > tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret > > And finally restart the openvpn services. > > Is this going to work or do I have to also process the cert entry > (server.crt)?? > Assuming that your original CA is about to expire then all your clients need the same ca_25.crt in their config files. Otherwise, your clients will try to use the expired CA certificate. As for the server and client certificates, when they expire the need to be renewed. It is safe to distribute certificates over an insecure medium. -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBQJj+oXcCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAABnCAf8DMkKDy/FbYy6iapAwVZk2+R/lzDPRKnC+2K0QZAea8K/7C+v UGVErqHqxdfy71Hsev+wmVXiHogsQdz3hQ1TkhGLY0QE+GhvLrdQcm9Rpbnw dVNiZicue/zsOXA8jc9blD2CZMvgnHOua5NIT/n1u1XSlm4SZHLV1PMS9Y6r nJEneptJDfoh1lt1QceK5Let6ORpoQgpJbF6xbFtHI9nM6MnjCWjanQqJRKx YZ0SNeE7lJLxBaS6sHWP5yTyNVjcq65XtR4eq41dMgVZztm3wFqrDvDnyRlz TkbwXyfHfuVMCCY6B16ywvayhQmEpKOYb10rKcd2gK3C8U3vHdnsMQ== =0bhv -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
