On 10/2/2023 4:42 PM, Jochen Bern wrote:
On 02.10.23 22:21, mike tancsa wrote:
If I have to go for option A (Stacked CAs on all
clients, stacked CAs on the server then update the server), is there
a downside with leaving an expired CA cert on all the clients ? Or
can they just be left there until the devices get re-imaged over time ?
I remember running tests in 2012 where OpenVPN would refuse to start
if there was an expired *CRL* in the config - IIRC with a CA *file*,
not a CApath -, even if the CA cert had already expired earlier and
would, of course, remain unused. Current OpenVPN versions don't do
that anymore. How up-to-date are your client installations?
Thanks, thats a good question about the clients, at some point I plan to
do a survey to see what exactly is out in the field!
---Mike
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
