>On Monday, January 8th, 2024 at 2:55 PM, Jochen Bern <jochen.b...@binect.de> >wrote:
> On 08.01.24 07:19, Peter Davis wrote: > > > On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern jochen.b...@binect.de > > wrote: > > > > > On 07.01.24 06:50, Peter Davis via Openvpn-users wrote: > > > > > > > Now if I ignore the warning message above, what is the risk? > > > > > > Then you'll lose the content of those files that only the CA needs, > > > and thus the ability to continue operating that (first) CA, in particular: > > > -- You'll be unable to create a CRL, whether it is to actually revoke a > > > cert or just to replace an expiring one. > > > -- When the (first) server cert expires, you'll be unable to have a new > > > one created by the same CA, thus requiring a config change on every > > > client - wherever and in whosever hands it is - before it'll be able > > > to connect to the VPN again. > > > > Hi, > > Thanks again. > > So: > > 1- What's the solution? > > > ... is your work environment so diverse that every colleague has an ID > card / a passport issued by a different nation? Trusted Third Parties > - and that's exactly what a CA is - tend to be trusted to issue > several proofs of identity. > > > 2- What do I need to do to build new servers using Easy-RSA? > > > You need to do some steps LESS than your "set up EVERYTHING from > scratch" how-to lists. (And as far as I can tell without running a test > myself, the command that gives you the warning is not the only one you > need to omit.) > > > 3- What files do I need to copy from Easy-RSA so that I can safely delete > > the Easy-RSA directory? > > > Assuming that there is some obscure reason why you'd want to do that > in the first place, may I suggest that you use subdirectories, rather > than a "photocopy, then shred original" approach ... > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users Hi, 1- What tool do you use to generate server and client keys? 2- Assume that the keys have expired. Do I have to generate a new key again or can I renew the previous keys that I have copied in the server and client directory? I still don't quite understand why I shouldn't delete the Easy-RSA directory after generating the keys! _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
