Certiface Expiration

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Incisive
OpenVpn Newbie
Posts: 3
Joined: Sat Sep 13, 2014 11:19 pm

Certiface Expiration

Post by Incisive » Sun Sep 14, 2014 1:05 am

Hi Everyone,

I'm in the process of planning and testing out a multi-region deployment of the OpenVPN access server and had a question regarding certificate expiration and regeneration.

Our intended use of OpenVPN is to allow our mac mini appliances which we deploy to customers data centers to punch holes through their network firewalls and connect to our amazon VPC. We have a provisioning process to build these appliances out automatically which installs and configures OpenVPN. Currently we are hard coding the cert, key, and ca files in the OpenVPN config which is deployed with the appliances.

My Question: How should certificate expiration be best handled? I see that the certs are generated for 10 years (these machines will probably exist past that point) so I want to at least get something down on paper for an upgrade process. If I regenerate the certificate on the server what has to be updated on the client to allow it to connect? I would prefer the method that prevents us from having to re-deploy all the certs and keys to these appliances if possible; however it could potentially be automated if absolutely necessary.

Thanks in advance!

Incisive
OpenVpn Newbie
Posts: 3
Joined: Sat Sep 13, 2014 11:19 pm

Re: Certiface Expiration

Post by Incisive » Sun Sep 14, 2014 2:34 pm

Also, how do you configure the access server to use only username/password authentication and not require me to embed the certificate and key in the config? That would make this entire setup much simpler.

Man in the middle isn't a major issue as the only purpose of using openvpn is to break out of restrictive networks, we aren't accessing anything sensitive in our VPC's.

Thanks

Incisive
OpenVpn Newbie
Posts: 3
Joined: Sat Sep 13, 2014 11:19 pm

Re: Certiface Expiration

Post by Incisive » Sun Sep 14, 2014 4:26 pm

I've re-read the documentation and figured out how to get my intended implementation working, please delete / ignore. thanks!

Post Reply