Way to distribute new ca.crt

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
nerone
OpenVpn Newbie
Posts: 3
Joined: Tue Oct 11, 2016 2:16 pm

Way to distribute new ca.crt

Post by nerone » Tue Oct 11, 2016 2:51 pm

Hi all,
i know it's the same old story. We installed the openvpn community version on a server, ten years ago.
Now, after years of honorable career we've grown from ten certificates to thousands, and hundreds of them connected simoultaneously.
Within one month will expire both the ca.crt and the server.crt. I've already generated a new ca.crt based on the old one, so the old certificates generated during this years will not expire all togheter.
I've also generated a new server.crt, without any problems.
But we still have a big problem: we must distribute the new CA.CRT to all clients configurations.
I'm wondering if:
- there is a way to distribute this file using openvpn server push command or executing something like "echo NEWCACRTCONTENT > ca.crt"
- there is a way to distribute new .ovpn file without the needing of local client ca.crt file

I know that, maybe, these ideas are totally insane.
But i need that some of you, expert guys, confirm me that! :D

Thank you for your time and, possibly, a reply! ;)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Way to distribute new ca.crt

Post by TinCanTech » Tue Oct 11, 2016 5:57 pm

Sorry .. Openvpn Community Edition does not offer any of the functionality you want.

nerone
OpenVpn Newbie
Posts: 3
Joined: Tue Oct 11, 2016 2:16 pm

Re: Way to distribute new ca.crt

Post by nerone » Wed Oct 12, 2016 8:54 am

TinCanTech thank you!
I suspected this, and you confirmed me.

I will look to some other way! Like a .bat that download and replace the file.
Thanks for the reply

Luca

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Way to distribute new ca.crt

Post by TinCanTech » Wed Oct 12, 2016 10:57 am

Beware: If you use a client side --up copyfile.bat this will not work either because the tunnel will not pass any data until all scripting has completed .. This is a security measure.

For me, the simplest way to distribute a new PKI was to start completely from scratch then use in-line cert/keys etc in single client files, distributed via HTTPS. But I have less than 100 clients so it was not so daunting as the thousands you have.

Post Reply