CA certificate expired

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
alidos
OpenVpn Newbie
Posts: 1
Joined: Wed Sep 02, 2015 1:59 pm

CA certificate expired

Post by alidos » Wed Sep 02, 2015 2:01 pm

I have a problem with CA certificate on openvpn, it has expired and clients cannot connect. I tried to create a new certificate with the ca.key, but it did not work.

Here is the command I used to create the new certificate: openssl x509 -in ca.crt -days 3650 -out ca_new.crt -signkey ca.key

After that I changed the openvpn file configuration to indicate that the new certificate is ca_new.crt.

Here is my config file:

Code: Select all

port 1194 
proto udp 
dev tun client-to-client 
ca easy-rsa/keys/ca_new.crt 
cert easy-rsa/keys/server.crt 
key easy-rsa/keys/server.key 
#crl-verify easy-rsa/keys/crl.pem 
dh easy-rsa/keys/dh1024.pem 
server 10.0.0.0 255.255.0.0 
ifconfig-pool-persist ipp.txt 
client-config-dir ccd 
keepalive 10 120 
#tls-auth easy-rsa/keys/ta.key 0 
#cipher DES-EDE3-CBC comp-lzo 
max-clients 16129 
user nobody 
group nobody 
persist-key 
persist-tun 
status status.log 
verb 3 
tun-mtu 1500 
mssfix 1392
When I check the new certificate using this command openssl verify -CAfile ca_new.crt server.crt, I get this message,

Code: Select all

server.crt: /C=FR/ST=Nord/L=Annoeullin/O=CALEO-CTC/CN=server/emailAddress=REDACTED@gmail.com error 10 at 0 depth lookup:certificate has expired OK
this is the status.log file :

Code: Select all

OpenVPN CLIENT LIST
Updated,Wed Sep  2 14:38:32 2015
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
UNDEF,193.248.149.52:48211,343,3344,Wed Sep  2 14:38:21 2015
UNDEF,193.50.22.130:33870,341,4712,Wed Sep  2 14:38:16 2015
UNDEF,193.252.209.244:38024,343,7448,Wed Sep  2 14:38:04 2015
UNDEF,82.127.230.103:55210,343,7904,Wed Sep  2 14:38:01 2015
UNDEF,193.50.22.130:54559,341,12920,Wed Sep  2 14:37:35 2015
UNDEF,194.206.44.228:28159,343,4712,Wed Sep  2 14:38:16 2015
UNDEF,92.155.150.105:35158,343,1976,Wed Sep  2 14:38:29 2015
UNDEF,213.30.150.186:50232,343,3800,Wed Sep  2 14:38:21 2015
......................
......................
......................
UNDEF,80.13.217.56:51206,342,5624,Wed Sep  2 14:38:12 2015
UNDEF,194.206.44.228:29930,343,3344,Wed Sep  2 14:38:22 2015
UNDEF,92.155.150.105:45657,343,2888,Wed Sep  2 14:38:23 2015
UNDEF,92.147.131.148:50109,343,9272,Wed Sep  2 14:37:53 2015
UNDEF,109.6.229.178:59124,343,12920,Wed Sep  2 14:37:39 2015
UNDEF,194.206.44.228:32420,343,13376,Wed Sep  2 14:37:34 2015
UNDEF,109.6.229.178:35403,343,2432,Wed Sep  2 14:38:26 2015
UNDEF,82.127.230.103:58576,343,12920,Wed Sep  2 14:37:39 2015
UNDEF,185.39.170.34:20415,343,7904,Wed Sep  2 14:38:02 2015
UNDEF,185.39.170.34:20407,343,11096,Wed Sep  2 14:37:46 2015
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END
on clients computers there is 4 files :

Code: Select all

- client.crt
- client.key
- ca.crt
- config.ovpn
How can I further troubleshoot the issue to figure out the problem? What is the problem?
Top
User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:
Contact maikcat

Re: CA certificate expired

Post by maikcat » Thu Sep 03, 2015 3:50 pm

if your server.crt is also expired you need to create a new server crt as well,

signing a new ca.crt file with the old ca.key is for making your current certs acceptable
to your server , if they have expired you still need to create new certs for them.

Michael.
Top
Post Reply

Return to “Cert / Config management”