> > Thanks Selva for the link! Two rounds will be a bit laborious as there > are many endpoints. If I have to go for option A (Stacked CAs on all > clients, stacked CAs on the server then update the server), is there a > downside with leaving an expired CA cert on all the clients ? Or can they > just be left there until the devices get re-imaged over time ? > > Then clients will continue to trust server certs issued by the old CA which may not be desirable in some setups.
If you are also updating the client version at the same time, test this out first -- hard to anticipate what all could go wrong. Newer version clients may reject the old server certificate for outdated MD or key-size. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
