On Mon, 8 Jan 2024 12:02:53 +0100, Gert Doering <g...@greenie.muc.de> wrote:
>Of course this only makes sense if there's a significant number of users - >if it's just like "5 users", I'd send everyone a new .ovpn and make sure >they start using it in a timely fashion ;-) Regarding extending a server's life ----------------------------------- OK, in my case there are only a handful of clients so I could presuambly do the following by creating new server crypto files from scratch: (Note that the files the server uses are not located inside the easyrsa3 hierarchy, they are copied off to a server side "/etc/openvpn/keys" location, so they will stay put until all is done.) 1) Copy off the existing easy-rsa3 crypto files, certs etc to a backup location. This is done since I don't know how to otherwise make sure easyrsa3 does not mess with existing files... 2) Re-create a new set of files using easyrsa3 for a new server instance after editing the vars file to prolong the life of the new certs etc. This includes re-creating the client crypto files and ovpn files. Put the new crypto files for the server into a new parallel directory to the existing server's keys dir. 3) Shut down the running server and change its config to point to the new keys dir holding the new crypto files. 4) Re-start the server now using the new crypto files (at this point the old clients cannot connect). 5) Check that the clients can now connect using the new ovpn files (not yet distributed). 6A) If they *can* connect then just distribute the new ovpn files to the eligible clients and tell them to remove the old client connection and create a new using the new ovpn files. 6B) If step 5 fails then shut down the server and re-enable the old one by editing the conf file to point the keys to the old dir again. Restart the server while figuring out what went wrong.... The operations above require me (I am working on these servers remotely) to connect to the network using a secondary management VPN channel... Note that since no change is done in the conf files regarding other settings than the keys dir it should work the same as earlier. QUESTION: --------- Is there some simple command to check the current lifetime of the involved files? There are several different types of files involved here (*.crt, *.csr, *.key, *.pem) and I don't know how each is actually used... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
