On 07/01/2024 21:20, Bo Berglund wrote: [...snip...]
If you have a couple of OpenVPN servers operating off of certs and keys generated back in 2014 (like I have), then these are probably set to expire this year 2024 because I think that the easyrsa I used back then sets a 10 year life of these. What is the proper procedure to refresh these so the servers will continue to operate into the future?
The CA certificate can be renewed. That means the CA certificate will be updated, but keys already signed with that CA will still validate against it (because the public/private keys remains the same). A certificate is basically just some meta data (Subject, Issuer, date ranges of validity, etc) attached to a public key and a signature. A CA certificate is no different, except root CAs are self-signed.
So renewing an existing certificate just updates the expiry date fields in the meta data section of the certificate and attaches a new signature to it.
I assume there are things that needs to be done on the server side, right?
That is correct. But also the client side need to be updated. "Everyone" need a new CA certificate to be able to properly validate the remote end.
Also beware that client and server certificates typically are not valid longer than the CA. And that's why it's not uncommon to just start fresh with a completely new and fresh EasyRSA PKI setup. As there will be lots of work anyhow when the CA expires.
As general recommendations with EasyRSA based setups, I would suggest: * Use an EasyRSA CA for one specific use case; like a single or a pool of collaborating OpenVPN servers intended. If you have a different use case in addition, use a separate EasyRSA setup for that. * Make the CA expire after the total expected lifetime of your servers. At some point you will upgrade the servers with a fresher setup, so plan the EasyRSA to have approximately the same lifetime (or slightly longer). Or chose 20 years (or your expected retirement date) as the CA lifetime ;-) * If you deploy OpenVPN in a more enterprise oriented environment, look at what kind of CA management that environment provides you and use that instead of EasyRSA. For example, FreeIPA provides infrastructure to be a CA with even automatically renewing server certificates for OpenVPN. Such environments will most likely have everything setup to ensure certificates are up-to-date and valid for the lifetime of that setup. With such a setup, the most painful part will be to distribute only new client configurations with new CA certificates for hosts/users not enrolled into the centralized CA infrastructure. Clients and servers enrolled into such a centralized CA infrastructure will get the CA certificates updated automatically as well. -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
