Hi all,
i know it's the same old story. We installed the openvpn community version on a server, ten years ago.
Now, after years of honorable career we've grown from ten certificates to thousands, and hundreds of them connected simoultaneously.
Within one month will expire both the ca.crt and the server.crt. I've already generated a new ca.crt based on the old one, so the old certificates generated during this years will not expire all togheter.
I've also generated a new server.crt, without any problems.
But we still have a big problem: we must distribute the new CA.CRT to all clients configurations.
I'm wondering if:
- there is a way to distribute this file using openvpn server push command or executing something like "echo NEWCACRTCONTENT > ca.crt"
- there is a way to distribute new .ovpn file without the needing of local client ca.crt file
I know that, maybe, these ideas are totally insane.
But i need that some of you, expert guys, confirm me that!
Thank you for your time and, possibly, a reply!
Way to distribute new ca.crt
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Way to distribute new ca.crt
Sorry .. Openvpn Community Edition does not offer any of the functionality you want.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Oct 11, 2016 2:16 pm
Re: Way to distribute new ca.crt
TinCanTech thank you!
I suspected this, and you confirmed me.
I will look to some other way! Like a .bat that download and replace the file.
Thanks for the reply
Luca
I suspected this, and you confirmed me.
I will look to some other way! Like a .bat that download and replace the file.
Thanks for the reply
Luca
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Way to distribute new ca.crt
Beware: If you use a client side --up copyfile.bat this will not work either because the tunnel will not pass any data until all scripting has completed .. This is a security measure.
For me, the simplest way to distribute a new PKI was to start completely from scratch then use in-line cert/keys etc in single client files, distributed via HTTPS. But I have less than 100 clients so it was not so daunting as the thousands you have.
For me, the simplest way to distribute a new PKI was to start completely from scratch then use in-line cert/keys etc in single client files, distributed via HTTPS. But I have less than 100 clients so it was not so daunting as the thousands you have.