On 02.10.23 22:21, mike tancsa wrote:
If I have to go for option A (Stacked CAs on allclients, stacked CAs on the server then update the server), is there a downside with leaving an expired CA cert on all the clients ? Or can they just be left there until the devices get re-imaged over time ?
I remember running tests in 2012 where OpenVPN would refuse to start if there was an expired *CRL* in the config - IIRC with a CA *file*, not a CApath -, even if the CA cert had already expired earlier and would, of course, remain unused. Current OpenVPN versions don't do that anymore. How up-to-date are your client installations?
(I still take care to get expired CAs removed from configs before their final CRL expires as well, just in case.)
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
