CA certificate renew

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
mclei
OpenVpn Newbie
Posts: 4
Joined: Tue Feb 28, 2017 9:16 am

CA certificate renew

Post by mclei » Tue Feb 28, 2017 9:32 am

What is the right way to manage CA certificate renewal? I think there is bug in OpenVPN 2.3 in CA certificate management.

I was using OpenVPN 2.1 with this renewal workflow:
- top level is root certficate with very long expiration date
- intermediate certificate has 2 year expiration date
- user certificates have 1 year expiration date

Each year I renew intermediate certificate, so every time I have 2 valid intermediate certificates with overlapping valid dates. It is obvious practice used to deploy user certificated.

It was fully correct to import 2 intermediate certificates with the same subject in OpenVPN 2.1, but in 2.3 I get this errors, and VPN fails to start:
Tue Feb 28 10:15:50 2017 us=824985 Cannot load CA certificate file user-vpn/CA.pem (entry 3 did not validate)
Tue Feb 28 10:15:50 2017 us=825544 Cannot load CA certificate file user-vpn/CA.pem (entry 4 did not validate)
Tue Feb 28 10:15:50 2017 us=825867 Cannot load CA certificate file user-vpn/CA.pem (only 2 of 4 entries were valid X509 names) (OpenSSL)
Tue Feb 28 10:15:50 2017 us=826195 Exiting due to fatal error

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: CA certificate renew

Post by TinCanTech » Tue Feb 28, 2017 2:08 pm

Is that Openvpn-2.3.14 ?

mclei
OpenVpn Newbie
Posts: 4
Joined: Tue Feb 28, 2017 9:16 am

Re: CA certificate renew

Post by mclei » Tue Feb 28, 2017 8:05 pm

Debian stable - Jessie version: 2.3.4-5
Is this fixed in later versions?

mclei
OpenVpn Newbie
Posts: 4
Joined: Tue Feb 28, 2017 9:16 am

Re: CA certificate renew

Post by mclei » Tue Feb 28, 2017 8:07 pm

Main problem is that overlapping certificates have the same subject.

mclei
OpenVpn Newbie
Posts: 4
Joined: Tue Feb 28, 2017 9:16 am

Re: CA certificate renew

Post by mclei » Mon Apr 10, 2017 7:15 pm

Really nobody faced this problem? How are you renewing CA certificate? Always creating new certificate with different subject?

Post Reply