Hi all, I was wondering how can one tackle the issue of issuing new certificates to clients and the server which expire at some point with the minimum downtime. The issue is that it seems I need to go with a big bang approach where the server certificates are replaced with new ones and then have all the clients updated somehow to use the new client certificates. This seems like a headache when one has to manage hundreds of remote clients that might not be accessible out of vpn.
Is there any alternative approach which can resemble a gradual roll-out? Perhaps through the use of additional vpn port at server side which uses the new certificates and have clients updated to use the new port and fail back to the previous one in case of issue? Looked also if I could load a stacked certificate at the server and have the same server authenticate both existing client certificates and new ones but the server was complaining about the certificate. Apart from automating this with other tooling such as Ansible or code, is there any other approach or openvpn feature that might help with such kind of migrations? How do you usually tackle this problem? Thanks, Alex
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
