-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Sent with Proton Mail secure email. ------- Original Message ------- On Saturday, October 7th, 2023 at 07:20, Bo Berglund <bo.bergl...@gmail.com> wrote: > On Fri, 06 Oct 2023 20:59:48 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > On Friday, October 6th, 2023 at 21:17, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > In easyrsa2 one could enter a longer expiration than 3650 days by editing > > > the > > > vars file and changing these entries > > > > > > export CA_EXPIRE=3650 > > > export KEY_EXPIRE=3650 > > > > > > to a different value like 7300 (20 years). > > > > > > How is it done correctly using easyrsa3? > > > > > > Like this? > > > > > > - rename vars.example to vars > > > - Activate lines and values: > > > set_var EASYRSA_CA_EXPIRE 7300 > > > set_var EASYRSA_CERT_EXPIRE 7200 > > > > That will also set standard certificate expiry to 7200 days. > > > > For the CA only, you could use `easyrsa --days=7300 build-ca` > > > > Option --days can be used by any command that require an expiration date. > > > It turned out that when I ran the initial > > easyrsa init-pki > > it complained about me having modified vars.example and created a vars file... > So I reverted those changes and ran the command again. > This produced a pki dir where there was a vars file, which seems to be the > one I > can edit to change the expiration. > I did not want to run init-pki until I had changed the expiration since I did > not know what could be changed afterwards... > > Now OK after editing the vars file there. > > > > I have noted that these two have defaults of 3650 and 825 days > > > respectively, > > > what is the reason for that and will my suggested expirations above not > > > work? > > > > They apply to different certificates, as shown above. > > > Yes, I understand that but I wondered why there was such a big difference in > expiration in the default for these two... Generally accepted standards. Note: The next release of Easy-RSA will not complain about the location of the vars file. Until then, you can simply ignore the message. > > > Additional question: > -------------------- > This is the first device on which I install OpenVPN using easyrsa3. > Earlier some months ago I migrated from easyrsa2 to easyrsa3 on existing > servers. And that was successful with your help after fixing some problems > with > the migration function. > I wrote a client creation script that runs the full process of generating the > client OVPN file and it works just fine. > > Now I am trying to set up a new server for my daughter and I have run into a > problem of understanding again.... > > My server.conf files contain references to cryptography like shown below and I > have found the easyrsa3 locations for the new server after running these > creation commands from earlier discussions: > > easyrsa --nopass build-ca (enter the CN JennyVPN when asked) > easyrsa --nopass build-server-full JennyVPN > openvpn --genkey tls-crypt tls-crypt.key <snip> > > dh /etc/openvpn/keys/dh2048.pem ? > tls-auth /etc/openvpn/keys/ta.key 0 ? > > Where can I find the two missing files for dh and tls-auth? > Or have I misunderstood the procedure? And --tls-crypt ... As for *your* procedure, I recommend you review your apparent use of --tls-auth verses --tls-crypt. Probably, check out the OpenVPN manual. Use of these two keys is mutually exclusive. DH param file: `easyrsa gen-dh` regards > > TIA > > > -- > Bo Berglund > Developer in Sweden > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBYJlIVymCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC/Igf+PZYIpmfAxL9dkncDnTCUEMYCq7VKrAyWLRi4JrEIt0fjI2/u OgTnzAbLL4kdepEqOqeIf4tYrpER4PHl3fYZj9HT2CXpstSc28PJYHMQuLHk HduCPWOV2uMUDEFbY/dGLbWwKGMbj5gSDyIab0+CTXALdHYLAPHuHxF4yFaO Ve3hSz/vszMQKmq2NpOFC0N2c/QMAOk034chanv4XtmFGWoFe4+qJbzW3Yoh Gzs6Z6o33ILZc6L7pgqCeyxscAzU+JjLeLC+5s40PqkZC/moLxexpyY/PwGr YiJAo+sL3xM3WnqhZCtLw7QQSKX0XU60/ePiDDaXQdOj4fAPiwVwQw== =HlQT -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
