What is the right way to manage CA certificate renewal? I think there is bug in OpenVPN 2.3 in CA certificate management.
I was using OpenVPN 2.1 with this renewal workflow:
- top level is root certficate with very long expiration date
- intermediate certificate has 2 year expiration date
- user certificates have 1 year expiration date
Each year I renew intermediate certificate, so every time I have 2 valid intermediate certificates with overlapping valid dates. It is obvious practice used to deploy user certificated.
It was fully correct to import 2 intermediate certificates with the same subject in OpenVPN 2.1, but in 2.3 I get this errors, and VPN fails to start:
Tue Feb 28 10:15:50 2017 us=824985 Cannot load CA certificate file user-vpn/CA.pem (entry 3 did not validate)
Tue Feb 28 10:15:50 2017 us=825544 Cannot load CA certificate file user-vpn/CA.pem (entry 4 did not validate)
Tue Feb 28 10:15:50 2017 us=825867 Cannot load CA certificate file user-vpn/CA.pem (only 2 of 4 entries were valid X509 names) (OpenSSL)
Tue Feb 28 10:15:50 2017 us=826195 Exiting due to fatal error
CA certificate renew
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: CA certificate renew
Is that Openvpn-2.3.14 ?
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Feb 28, 2017 9:16 am
Re: CA certificate renew
Debian stable - Jessie version: 2.3.4-5
Is this fixed in later versions?
Is this fixed in later versions?
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Feb 28, 2017 9:16 am
Re: CA certificate renew
Main problem is that overlapping certificates have the same subject.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Feb 28, 2017 9:16 am
Re: CA certificate renew
Really nobody faced this problem? How are you renewing CA certificate? Always creating new certificate with different subject?