OpenVPN Caching old certificates?

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
witchy
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 10, 2017 8:16 pm

OpenVPN Caching old certificates?

Post by witchy » Fri Mar 10, 2017 8:36 pm

Hi folks,

I've set up an OpenVPN server on an OpenWRT router and configured a Win7 laptop to connect successfully, all good. While I was testing this I've also been setting up my iphone with OpenVPN Connect 1.1.1 on iOS 10.2.1 so there's been a lot of test certificates created/destroyed while I was learning the X509 side of things.

I've tried different .ovpn methods from named files (ta.key, ca.crt etc) to inline certs to stored certs in the phone's keychain and no matter what I do OpenVPN is hanging onto an invalid CA certificate from earlier today.

The FAQ says I can install the PKCS file to my keychain so I did that. I don't know how closely the FAQ matches v1.1.1 of the client but it says to leave the CA cert inline in the .ovpn file so that's what I did. Re-import the .ovpn and on reconnecting the old CA from 11:30 is still there. (latest CA is from 18:08)

As a test I removed the inline CA and got 'PolarSSL: as certificate is undefined' as expected, put the latest CA back inline and the logfile is still showing the old one in use. Remove inline again and install the CA and ICA certs in the keychain which has the bonus of all 3 certs now showing as 'verified' but OpenVPN is still hanging onto that 11:30 CA.

Delete and reinstall the App, reboot phone, the old CA is still being used despite not actually existing anywhere other than seemingly in a cache on my phone.

There's a similar post from the middle of Dec last year so I'm not the only one with this oddity, anyone else?

Cheers

Witchy

witchy
OpenVpn Newbie
Posts: 4
Joined: Fri Mar 10, 2017 8:16 pm

Re: OpenVPN Caching old certificates?

Post by witchy » Mon Mar 13, 2017 4:17 pm

Gah, ignore me :)

I'd totally missed the connection between the root CA and TLS authentication and when I'd recreated the new certs I forgot to regenerate ta.key.

All sorted now!

W

Post Reply