On 04.10.23 22:44, mike tancsa wrote:
this fails with just the old-ca.crt
% openssl verify -show_chain -CAfile old-ca.crt -untrusted int.crt
sentex-remote-only.crt
CN = sentex-remote-only
error 20 at 0 depth lookup: unable to get local issuer certificate
error sentex-remote-only.crt: verificat
On 10/3/2023 6:15 PM, Selva Nair wrote:
With that order the key won't match the certificate and the server
should not even start. Looks like your cross-signed certificate has
the server's public key -- it should have the new CA's public key
signed by the old CA. What error do you get on old cl
Hi,
> think I am getting closer with the "one step" process with an
> intermediary cert. I am able to start up the server with both the new CA
> signed server cert and the intermediary as outlined in "Step 3" above.
> However, its like the server is not sending two server certs to the
> connectin
Hi,
On Tue, Oct 03, 2023 at 12:47:31PM -0400, mike tancsa wrote:
> Thanks, thats a good question about the clients, at some point I plan to do
> a survey to see what exactly is out in the field!
Have a look at your server logs... with (at least) verb 3, you can
see all the details in form of IV_
On 10/2/2023 3:59 PM, Selva Nair wrote:
On Mon, Oct 2, 2023 at 3:00 PM mike tancsa wrote:
I am in a position where I want to start migrating users away from my
old CA which will expire in the medium term future to a new CA. I
have
many endpoint and cant just "OK, everyone do
On 10/2/2023 4:42 PM, Jochen Bern wrote:
On 02.10.23 22:21, mike tancsa wrote:
If I have to go for option A (Stacked CAs on all
clients, stacked CAs on the server then update the server), is there
a downside with leaving an expired CA cert on all the clients ? Or
can they just be left there un
>
> Thanks Selva for the link! Two rounds will be a bit laborious as there
> are many endpoints. If I have to go for option A (Stacked CAs on all
> clients, stacked CAs on the server then update the server), is there a
> downside with leaving an expired CA cert on all the clients ? Or can they
>
On 02.10.23 22:21, mike tancsa wrote:
If I have to go for option A (Stacked CAs on all
clients, stacked CAs on the server then update the server), is there a
downside with leaving an expired CA cert on all the clients ? Or can
they just be left there until the devices get re-imaged over time ?
On 10/2/2023 3:59 PM, Selva Nair wrote:
If you can afford two rounds of client config updates, this could be
done without step 3 -- see the following thread from users list:
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05983.html
Essentially, update to the stacked
On Mon, Oct 2, 2023 at 3:00 PM mike tancsa wrote:
> I am in a position where I want to start migrating users away from my
> old CA which will expire in the medium term future to a new CA. I have
> many endpoint and cant just "OK, everyone download a new files now."
> So I am looking at the step
10 matches
Mail list logo
