On Mon, Oct 2, 2023 at 3:00 PM mike tancsa <m...@sentex.net> wrote:
> I am in a position where I want to start migrating users away from my > old CA which will expire in the medium term future to a new CA. I have > many endpoint and cant just "OK, everyone download a new files now." > So I am looking at the steps in > > https://www.hexonet.net/blog/migrating-new-ca-for-openvpn > > which allows both sets of clients to connect to existing > infrastructure. Moving to different ports / IPs etc is not easy to do > either as firewalls at local sites are controlled by many orgs and > getting those changed is non trivial. > > Step 1 ok - new CA added (stacked) > > Step 2, "Also, the server certificate is replaced by one signed by the > new CA." Also done. Clients with certs signed with the new CA can connect. > > Step 3, "Additionally, an intermediate certificate (OLD-NEW-IM.crt) that > uses the private key of the new CA, but is signed by the old CA, gets > added to the server certificate file. IMPORTANT: When signing the new > server certificate, the 'authorityKeyIdentifier' section must only > include the keyid, and not the issuer. This is necessary to prevent > issues related to different subjects of the old and new CA's." > > Thats the part I am not sure of. Can this be done with easy rsa 3 or do > I need to manually do it with openssl. I am thinking this is an openssl > cli thing. If so, has anyone done this that can share the steps ? > If you can afford two rounds of client config updates, this could be done without step 3 -- see the following thread from users list: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05983.html Essentially, update to the stacked CA (old+new) on server and stacked CA + new client certs on clients one by one. When all clients are updated, change the server certificate to the new one. Then do another round of client update where old CA is removed from the stack. A link certificate allows one to do this in one round of client updates as also discussed in that thread. I have used OpenSSL CLI in the past for this but do not have a recipe at hand. No idea whether easyrsa could do it. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
