CA certificate renew
Posted: Tue Feb 28, 2017 9:32 am
What is the right way to manage CA certificate renewal? I think there is bug in OpenVPN 2.3 in CA certificate management.
I was using OpenVPN 2.1 with this renewal workflow:
- top level is root certficate with very long expiration date
- intermediate certificate has 2 year expiration date
- user certificates have 1 year expiration date
Each year I renew intermediate certificate, so every time I have 2 valid intermediate certificates with overlapping valid dates. It is obvious practice used to deploy user certificated.
It was fully correct to import 2 intermediate certificates with the same subject in OpenVPN 2.1, but in 2.3 I get this errors, and VPN fails to start:
Tue Feb 28 10:15:50 2017 us=824985 Cannot load CA certificate file user-vpn/CA.pem (entry 3 did not validate)
Tue Feb 28 10:15:50 2017 us=825544 Cannot load CA certificate file user-vpn/CA.pem (entry 4 did not validate)
Tue Feb 28 10:15:50 2017 us=825867 Cannot load CA certificate file user-vpn/CA.pem (only 2 of 4 entries were valid X509 names) (OpenSSL)
Tue Feb 28 10:15:50 2017 us=826195 Exiting due to fatal error
I was using OpenVPN 2.1 with this renewal workflow:
- top level is root certficate with very long expiration date
- intermediate certificate has 2 year expiration date
- user certificates have 1 year expiration date
Each year I renew intermediate certificate, so every time I have 2 valid intermediate certificates with overlapping valid dates. It is obvious practice used to deploy user certificated.
It was fully correct to import 2 intermediate certificates with the same subject in OpenVPN 2.1, but in 2.3 I get this errors, and VPN fails to start:
Tue Feb 28 10:15:50 2017 us=824985 Cannot load CA certificate file user-vpn/CA.pem (entry 3 did not validate)
Tue Feb 28 10:15:50 2017 us=825544 Cannot load CA certificate file user-vpn/CA.pem (entry 4 did not validate)
Tue Feb 28 10:15:50 2017 us=825867 Cannot load CA certificate file user-vpn/CA.pem (only 2 of 4 entries were valid X509 names) (OpenSSL)
Tue Feb 28 10:15:50 2017 us=826195 Exiting due to fatal error