Forgot to include the list in my reply. Below are the steps I did to use stacked certificates so as to gradually roll out new certs:
https://alexkaouris.medium.com/openvpn-roll-out-new-certificates-5ddcd1b3a6f3 Thanks to Rui for the tips. Cheers, Alex On Wed, 27 Nov 2024 at 7:13 PM, Rui Santos <rsan...@ruisantos.com> wrote: > Great to hear that 🙂 > > Your notes were far better than my text on the mailing list 😞 > Could you probably share those same notes to the list, it may help others? > > Cheers, > Rui > > On Wed, 27 Nov 2024, 17:00 Alex K, <rightkickt...@gmail.com> wrote: > >> Yes Rui, it worked great. Using stacked CA at both sides provides the >> flexibility to roll out the certs gradually. >> >> Thanks for the pointer. It was really helpful. >> >> On Wed, 27 Nov 2024 at 9:52 AM, Rui Santos <rsan...@ruisantos.com> wrote: >> >>> Hi Alex, >>> >>> Did it work as you expected? >>> >>> Regards, >>> Rui >>> >>> On Tue, 26 Nov 2024, 22:55 Alex K, <rightkickt...@gmail.com> wrote: >>> >>>> Hi Rui, >>>> >>>> Thanks for your reply. I was able to stack both CAs into the same >>>> config at server and client side and simulated a certs roll-out. I did the >>>> following steps: >>>> >>>> - issue new CA and server certificates >>>> - create a stacked CA (containing the old and the new CA) and load on >>>> server and clients. >>>> - roll-out new client certs >>>> - eventually decommission old server certs and install new ones. >>>> >>>> On Tue, 26 Nov 2024 at 7:41 PM, Rui Santos <rsan...@ruisantos.com> >>>> wrote: >>>> >>>>> Hi Alex, >>>>> >>>>> Both client and server accept certificates from a specific trusted >>>>> Certificate Authority. If you keep the same CA, then you can just >>>>> issue new certificates for server and clients, using that same CA. >>>>> >>>>> If you have a new CA, you'll need to include both CA's, for both >>>>> server and clients in advance, on their configuration file. Once it's >>>>> propagated, you should be able to issue new certificates using the new >>>>> CA, and they'll be accepted. >>>>> Once all are running smoothly using the new CA, just remove the old >>>>> one from the config files :) >>>>> >>>>> Hope this helps. >>>>> >>>>> Regards, >>>>> Rui >>>>> >>>>> >>>>> On Tue, Nov 26, 2024 at 5:33 PM Alex K <rightkickt...@gmail.com> >>>>> wrote: >>>>> > >>>>> > Hi all, >>>>> > >>>>> > I was wondering how can one tackle the issue of issuing new >>>>> certificates to clients and the server which expire at some point with the >>>>> minimum downtime. The issue is that it seems I need to go with a big bang >>>>> approach where the server certificates are replaced with new ones and then >>>>> have all the clients updated somehow to use the new client certificates. >>>>> This seems like a headache when one has to manage hundreds of remote >>>>> clients that might not be accessible out of vpn. >>>>> > >>>>> > Is there any alternative approach which can resemble a gradual >>>>> roll-out? Perhaps through the use of additional vpn port at server side >>>>> which uses the new certificates and have clients updated to use the new >>>>> port and fail back to the previous one in case of issue? Looked also if I >>>>> could load a stacked certificate at the server and have the same server >>>>> authenticate both existing client certificates and new ones but the server >>>>> was complaining about the certificate. >>>>> > >>>>> > Apart from automating this with other tooling such as Ansible or >>>>> code, is there any other approach or openvpn feature that might help with >>>>> such kind of migrations? How do you usually tackle this problem? >>>>> > >>>>> > Thanks, >>>>> > Alex >>>>> > _______________________________________________ >>>>> > Openvpn-users mailing list >>>>> > Openvpn-users@lists.sourceforge.net >>>>> > https://lists.sourceforge.net/lists/listinfo/openvpn-users >>>>> >>>>> >>>>> >>>>> -- >>>>> Rui Santos >>>>> Veni, Vidi, Linux >>>>> >>>>
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
