On Sat, 25 Feb 2023 22:04:42 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >Hi, >> UPDATE (almost there): >> ---------------------- >> I found this forum post most useful: >> https://forums.openvpn.net/viewtopic.php?t=18671#p51517 >> >> So now I have tested these commands on my server in easy-rsa/keys: >> >> Making copy of ca.crt with 25 year expiration: >> >> $ openssl x509 -in ca.crt -days 9131 -out ca_25.crt -signkey ca.key >> Getting Private key >> >> Checking expiration of resulting key: >> >> $ openssl x509 -dates -noout -in ca_25.crt >> notBefore=Feb 25 20:47:36 2023 GMT >> notAfter=Feb 25 20:47:36 2048 GMT >> >> Checking an existing client cert using ca_25.crt: >> >> $ openssl verify -CAfile ca_25.crt JennyUbu.crt >> JennyUbu.crt: OK >> >> So it seems like the new crt file accepts the old existing client crt! >> >> NEXT TO DO?: >> ----------- >> I copy the ca_25.crt file to /etc/openvpn/keys dir and then edit the conf >> file >> for the services to use this new file as the ca entry like this: >> >> #ca /etc/openvpn/keys/ca.crt >> ca /etc/openvpn/keys/ca_25.crt >> cert /etc/openvpn/keys/server.crt >> key /etc/openvpn/keys/server.key # This file should be kept secret >> dh /etc/openvpn/keys/dh2048.pem >> tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret >> >> And finally restart the openvpn services. >> >> Is this going to work or do I have to also process the cert entry >> (server.crt)?? >> > >Assuming that your original CA is about to expire then all your clients need >the >same ca_25.crt in their config files. Otherwise, your clients will try to use >the >expired CA certificate. > >As for the server and client certificates, when they expire the need to be >renewed. > >It is safe to distribute certificates over an insecure medium. > The cert and other encrypted data are built into the ovpn files so are not used from separate files by the clients... Do I have to create new ovpn files and send to the clients? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
