Action Plan to Upgrade Certs?

Scripts to manage certificates or generate config files
Post Reply
volleynbike
OpenVpn Newbie
Posts: 5
Joined: Thu Jun 19, 2014 11:14 pm

Action Plan to Upgrade Certs?

Post by volleynbike » Thu Mar 19, 2015 8:07 pm

I have a server(Linux)/client(Windows) setup with many clients. Clients are only accessible through the OVPN tunnel. It was originally setup with OVPN 2.1 and has worked well. With all the recently discovered vulnerabilities, i have updated both server and clients to OVPN 2.3.5. Certificates were originally issued by OpenSSL v0.9.7m. CA OpenSSL is now upgraded to v1.0.2

Now it is time to upgrade the old certificates, both server and clients certs. But how to do it over the vpn without taking the system down or having to dispatch someone to each client? I was hoping to find someone's experience to follow. I've done a lot of searching for such, but no luck.
  • Original ca, server and client certs were only 1024. So all will need to be re-done.
  • I am good with scripting, and expect to use that to connect down the tunnels to push files and make changes.
  • Possibly certificate stacking can be used to allow old and new certs to function on the server concurrently during the transition?
  • I suspect i am not the only one in this predicament. Documenting this process may be of help to others also, and am willing to contribute by pulling this together.
If anyone can point me in the direction of existing HowTo's or can help layout a plan of action, i would greatly appreciate it!

User avatar
Traffic
OpenVPN Protagonist
Posts: 4081
Joined: Sat Aug 09, 2014 11:24 am

Re: Action Plan to Upgrade Certs?

Post by Traffic » Thu Mar 19, 2015 9:46 pm

I am sure you will find this informative:
https://community.openvpn.net/openvpn/w ... nVPN-Howto

8-)

volleynbike
OpenVpn Newbie
Posts: 5
Joined: Thu Jun 19, 2014 11:14 pm

Re: Action Plan to Upgrade Certs?

Post by volleynbike » Thu Mar 19, 2015 9:54 pm

Yes that covers how to set up (initially) a certificate structure. That is essentially what i did when first putting our system together. All well and good.

But now we need a process push out replacement certs (with higher security standards) and enable them, without taking everything down. In other words, something like having 2 server certs functioning simultaneously (stacked certs)? So that clients that have not received their cert replacements yet can still function while the clients that do have their new certs switch over.

Does anyone have experience using stacked certs?

User avatar
maikcat
Forum Team
Posts: 4199
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Action Plan to Upgrade Certs?

Post by maikcat » Fri Mar 20, 2015 1:46 pm

Janjust's openvpn cookbook has a whole chapter devoted on stack CA's.

have you try to set it up and failed?

you can always create a second openvpn instance with the new keys and connect there...

Michael.

volleynbike
OpenVpn Newbie
Posts: 5
Joined: Thu Jun 19, 2014 11:14 pm

Re: Action Plan to Upgrade Certs?

Post by volleynbike » Mon Mar 23, 2015 10:19 pm

The more i investigate this issue, the more obstructions i run into. It will take much more than just new CA certs.
  • All certs will need to expand from 1024 bit to 2048 bit. This will mean CA, Server and Client certs and keys and DH.pem.
  • Many of our client boxes are behind remote firewalls that are tightly controlled. Creating a 2nd OpenVPN instance on a different IP or port is not an option.
  • Different options are necessary in the .ovpn file.
I don't believe a stacked cert will allow for all these other changes in a single instance of OpenVPN. I may have to script a time bomb switch over - a scary proposition.

Has anyone dreamed up a better way to do this?

theOpenVPNbibo
OpenVpn Newbie
Posts: 4
Joined: Wed Jun 13, 2012 6:32 am

Re: Action Plan to Upgrade Certs?

Post by theOpenVPNbibo » Thu Mar 09, 2017 1:24 pm

@volleynbike
Did you find a solution for your problem (I am standing right in front of the same)?

Post Reply