On Fri, 06 Oct 2023 20:59:48 +0000, tincantech via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: >On Friday, October 6th, 2023 at 21:17, Bo Berglund <bo.bergl...@gmail.com> >wrote: > > >> In easyrsa2 one could enter a longer expiration than 3650 days by editing the >> vars file and changing these entries >> >> export CA_EXPIRE=3650 >> export KEY_EXPIRE=3650 >> >> to a different value like 7300 (20 years). >> >> How is it done correctly using easyrsa3? >> >> Like this? >> >> - rename vars.example to vars >> - Activate lines and values: >> set_var EASYRSA_CA_EXPIRE 7300 >> set_var EASYRSA_CERT_EXPIRE 7200 > >That will also set standard certificate expiry to 7200 days. > >For the CA only, you could use `easyrsa --days=7300 build-ca` > >Option --days can be used by any command that require an expiration date. >
It turned out that when I ran the initial easyrsa init-pki it complained about me having modified vars.example and created a vars file... So I reverted those changes and ran the command again. This produced a pki dir where there was a vars file, which seems to be the one I can edit to change the expiration. I did not want to run init-pki until I had changed the expiration since I did not know what could be changed afterwards... Now OK after editing the vars file there. >> I have noted that these two have defaults of 3650 and 825 days respectively, >> what is the reason for that and will my suggested expirations above not work? > >They apply to different certificates, as shown above. > Yes, I understand that but I wondered why there was such a big difference in expiration in the default for these two... Additional question: -------------------- This is the first device on which I install OpenVPN using easyrsa3. Earlier some months ago I migrated from easyrsa2 to easyrsa3 on existing servers. And that was successful with your help after fixing some problems with the migration function. I wrote a client creation script that runs the full process of generating the client OVPN file and it works just fine. Now I am trying to set up a *new* server for my daughter and I have run into a problem of understanding again.... My server.conf files contain references to cryptography like shown below and I have found the easyrsa3 locations for the new server after running these creation commands from earlier discussions: easyrsa --nopass build-ca (enter the CN JennyVPN when asked) easyrsa --nopass build-server-full JennyVPN openvpn --genkey tls-crypt tls-crypt.key So now I can populate my server.conf file using easyrsa3 generated files as follows: old server.conf found here for new server.conf file -------------------------------------------------------------------------- ca /etc/openvpn/keys/ca.crt -> /openvpn/easyrsa3/pki/ca.crt cert /etc/openvpn/keys/server.crt -> /openvpn/easyrsa3/pki/issued/JennyVPN.crt key /etc/openvpn/keys/server.key -> /openvpn/easyrsa3/pki/private/JennyVPN.key dh /etc/openvpn/keys/dh2048.pem ? tls-auth /etc/openvpn/keys/ta.key 0 ? Where can I find the two missing files for dh and tls-auth? Or have I misunderstood the procedure? TIA -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
