Trying to Seamlessly transition to new pki

Scripts to manage certificates or generate config files
Post Reply
Dustin2902
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 15, 2021 1:35 am

Trying to Seamlessly transition to new pki

Post by Dustin2902 » Fri Jun 18, 2021 1:43 am

I am fairly new with OpenVPN and EasyRSA hope everything makes sense, let me know if I have missed something that may be helpful

Current certs are set to expire in about a year, rather than just refresh the certs I would like to update the pki security by:
Larger key size 1024 -> 2048
Encryption sha1 -> sha256 (This seems to be fine)

From what I understand upgrading to 2048 bit keys requires a new PKI to be built to upgrade the ca.key size

What is the benefit of creating a new ca vs using a 1024-bit ca.key and create new 2048-bit client/server files? (Assuming best practice/security)

The devices (Modem's) on the network have static IP addresses and are in DMZ mode (No remote access since that would be too easy), they come back and can be updated with a local connection around once a year

The goal would be to transition all the devices over about 1 year seamlessly over to the new pki

Things I have tried:

Stacked certs: https://www.hexonet.net/blog/migrating- ... or-openvpn
Create a new PKI, stack the ca.crt from the old and new PKI's

Code: Select all

cat ca_new.crt ca_old.crt > ca.crt
Create a new server cert with new pki

Code: Select all

./easyrsa build-server-full server nopass
Sign new server request with old pki as intermediate cert

Code: Select all

EASYRSA_PKI=pki_old ./easyrsa import-req ./pki/requests/server.csr im
EASYRSA_PKI=pki_old ./easyrsa sign-req server im
Stack the new server and im certs (2 certs signed by different ca's using the same .key file)

Code: Select all

cat server.crt im.crt > server_stacked.crt
This works only for the ca that signed the top crt in the server_stacked.crt
Client with old ca files works if I stack in this order "cat im.crt server.crt > server_stacked.crt"
Client with new ca files works in the other order

Client Log (Old files with server cert "cat server.crt im.crt > server_stacked.crt")

Code: Select all

2021-06-18 11:02:56 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=AU, ST=VIC, L=MELBOURNE, O=server, CN=server, name=server, emailAddress=test@test.com.au, serial=1
2021-06-18 11:02:56 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-06-18 11:02:56 TLS_ERROR: BIO read tls_read_plaintext error
2021-06-18 11:02:56 TLS Error: TLS object -> incoming plaintext read error
2021-06-18 11:02:56 TLS Error: TLS handshake failed
Server config

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server_stack.crt
key server.key
dh dh2048.pem
mode server
tls-server
ifconfig 10.8.0.1 10.8.0.2
ifconfig-pool 10.8.20.4 10.8.40.254
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
push "route 10.8.0.0 255.255.0.0"
keepalive 10 120
cipher BF-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 4
Client Config

Code: Select all

client
dev tun
proto udp
remote 192.168.254.126 1194 # Test OpenVPN VM
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher BF-CBC
comp-lzo
verb 3
auth-nocache
I have tried removing serial and dirName from "authorityKeyIdentifier" section in the new server.crt file (As mentioned in the guide) gives no change
I have also tried creating a subCA from the 1024-bit ca and using that as the new CA same method as above(Works on a windows client but not on NetComm modem's gives same error as above)
Clients never seem to know that there is a second server cert, i'm not sure why this is
Is there something else I have missed here

Multiple Instances
Also tried running 2 OpenVPN instances on separate ports but couldn't figure out how to get them working with the same subnet, don't think that is even possible
Each had a similar config with different ports and ifconfig values and using files from completely separate pki's (And different log file names)
(Required as devices have static IP's and can not be changed remotely)

If this is simply not possible, then will have to refresh the expiring certs and find a way to be able to update the devices remotely to move to fresh pki later

300000
OpenVPN Expert
Posts: 572
Joined: Tue May 01, 2012 9:30 pm

Re: Trying to Seamlessly transition to new pki

Post by 300000 » Thu Jul 01, 2021 11:47 am

Nothing you can do if CA expired next year. You need create whole new ca and server. client again . Make sure CA will have 100 years so only do one time . If you leave it now as 10 years you will do it on next ten years time again . I

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 228
Joined: Tue Feb 16, 2021 10:41 am

Re: Trying to Seamlessly transition to new pki

Post by openvpn_inc » Sun Jul 04, 2021 1:23 am

Dustin2902 wrote:
Fri Jun 18, 2021 1:43 am
I am fairly new with OpenVPN and EasyRSA hope everything makes sense, let me know if I have missed something that may be helpful

Current certs are set to expire in about a year, rather than just refresh the certs I would like to update the pki security by:
Larger key size 1024 -> 2048
Encryption sha1 -> sha256 (This seems to be fine)

From what I understand upgrading to 2048 bit keys requires a new PKI to be built to upgrade the ca.key size

What is the benefit of creating a new ca vs using a 1024-bit ca.key and create new 2048-bit client/server files? (Assuming best practice/security)
I always say, consider your threat model. But also use the best encryption available at the time. If you are a wanted target by state-level actors, they will get you:


Image
(Much thanks as always to Randall Munroe at xkcd.com.)

I think 100 years is a bit much; cryptographic technology changes quite a lot within 10 years or so. That's why 10 years is a common choice for a PKI's lifetime. One year is a bit too much work for my tastes. I'm only hiding traffic from casual snoopers, not from gov't TLAs.

(snip)
Dustin2902 wrote:
Fri Jun 18, 2021 1:43 am
The goal would be to transition all the devices over about 1 year seamlessly over to the new pki
This is not easy, and it's not even something I can claim to have done. One thing I can suggest, though: OpenVPN Access Server (the proprietary software for self-hosted VPNs) version 2.9 has automatic CA certificate renewal and can add a new cross-signed CA or delete one with just a button click. You might want to check that out?

(large snippage)
Dustin2902 wrote:
Fri Jun 18, 2021 1:43 am
Multiple Instances
Also tried running 2 OpenVPN instances on separate ports but couldn't figure out how to get them working with the same subnet, don't think that is even possible
Each had a similar config with different ports and ifconfig values and using files from completely separate pki's (And different log file names)
(Required as devices have static IP's and can not be changed remotely)

If this is simply not possible, then will have to refresh the expiring certs and find a way to be able to update the devices remotely to move to fresh pki later
It's doable to run two instances on different ports with different subnets. Why would you need them on the same subnet? Just be sure that anything routed through one instance is known to the other instance (routes for each server being pushed to both sets of clients.) RFC1918 is plenty big enough for any organization to have all the private subnets they need.

This is a worthy effort, good luck with it. Regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Dustin2902
OpenVpn Newbie
Posts: 2
Joined: Tue Jun 15, 2021 1:35 am

Re: Trying to Seamlessly transition to new pki

Post by Dustin2902 » Sun Jul 11, 2021 11:23 pm

300000 wrote:
Thu Jul 01, 2021 11:47 am
Nothing you can do if CA expired next year. You need create whole new ca and server. client again . Make sure CA will have 100 years so only do one time . If you leave it now as 10 years you will do it on next ten years time again
Have changed to 100 years, I am able to refresh the crt for the ca and server so don't need a whole new pki but wouldn't be upgrading anything.
openvpn_inc wrote:
Sun Jul 04, 2021 1:23 am
I always say, consider your threat model. But also use the best encryption available at the time.
I know there is not a great threat to our devices but using at least the default security settings is a big upgrade
openvpn_inc wrote:
Sun Jul 04, 2021 1:23 am
This is not easy, and it's not even something I can claim to have done. One thing I can suggest, though: OpenVPN Access Server (the proprietary software for self-hosted VPNs) version 2.9 has automatic CA certificate renewal and can add a new cross-signed CA or delete one with just a button click. You might want to check that out?
I have had a brief look at this but didn't see it worth it at the time. Might try get it working and have more of a look
openvpn_inc wrote:
Sun Jul 04, 2021 1:23 am
It's doable to run two instances on different ports with different subnets. Why would you need them on the same subnet?
We have a few other systems and local users (management) that communicate to the devices on the OpenVPN network having 2 subnets might add some complications I am trying to avoid.

I have managed to get a sub-CA working, problem before was creating the server cert with the sub ca not the root ca. Then chaining new client certs "cat client.crt sub-ca.crt > chained.crt" and have the ca of the client be a new root ca crt

300000
OpenVPN Expert
Posts: 572
Joined: Tue May 01, 2012 9:30 pm

Re: Trying to Seamlessly transition to new pki

Post by 300000 » Mon Jul 12, 2021 7:55 am

What will happen next year when root ca expired? All sub ca will expire too. Nothing you can do when root ca past 10 years then let start all again.

Post Reply