New CA but with old CA support

[Deantwo]

I have had a MikroTik router running as OpenVPN server for around 6 years now. But in an attempt to move from one certificate database to another I found out that the CA that was created 6 years ago was not created correctly as it has no key usage set. This means that the CA is in a sense now usable as a CA, which then has gotten me to want to replace the CA with a new CA.

The problem is that I still have over a hundred users that are bound to the old CA, and most of their certificates still last another two years. So I have been trying to figure out the best way to change the CA over to the new one, while still supporting the current users.

Of course it is not made any easier with the fact that the MikroTik implementation of OpenVPN is rather lacking and limited.

So can anyone maybe tell me if it is even possible for OpenVPN to handle multiple CAs at the same time?
Or is there something fundamental about certificates that I have totally misunderstood? Like should I make my new CA signed by the old CA so they are in the same chain? I am not sure how that would work when the old CA then expire.

[TinCanTech]

if it is even possible for OpenVPN to handle multiple CAs at the same time?

Yes, via stacked certificates:
https://community.openvpn.net/openvpn/w ... ate_Chains

is there something fundamental about certificates that I have totally misunderstood?

There are not many people who understand everything about PKIs, it is a hugely complicated field.

Of course it is not made any easier with the fact that the MikroTik implementation of OpenVPN is rather lacking and limited

You could run a linux server behind the router.

I would create a new PKI from scratch, test it for all your specific needs and then roll it out as a permanent replacement for your old PKI.

[Deantwo]

is there something fundamental about certificates that I have totally misunderstood?

There are not many people who understand everything about PKIs, it is a hugely complicated field.

Makes me feel a little better, thanks. ^^;

if it is even possible for OpenVPN to handle multiple CAs at the same time?

Yes, via stacked certificates:
https://community.openvpn.net/openvpn/w ... ate_Chains

That is interesting, thanks!

Sadly MikroTik does not support the use of stacked certificates like this, since the certificate has to be imported into the router's certificate store which then separate them.
Would it be possible to do it with a certificate chain? I mean if the new certificate is signed by the old CA?
From what I understand from that page you linked, I will likely hit the same issue?

Of course it is not made any easier with the fact that the MikroTik implementation of OpenVPN is rather lacking and limited

You could run a linux server behind the router.

Yeah, have been considering finding some OpenVPN server software and setting up an actual server.

I would create a new PKI from scratch, test it for all your specific needs and then roll it out as a permanent replacement for your old PKI.

But creating it from scratch would make me have to replace ALL the certificates and configurations of existing users. I am not saying I wouldn't love to correct the error in one huge undertaking, but it simply isn't possible.

[TinCanTech]

As a test solution, run a Linux VM and use git-master/openvpn on your server .. I think it will take you less than a week to realise the benefits.