Ca.crt expired

Scripts to manage certificates or generate config files
Post Reply
abig76
OpenVpn Newbie
Posts: 2
Joined: Mon Nov 09, 2015 1:29 pm

Ca.crt expired

Post by abig76 » Mon Nov 09, 2015 3:16 pm

I run into the 10 years expiration time like others before me. I checked this threadtopic18671.html I succesfully created a ca_new.crt file, but after testing it i receive "certificate has expired" error


Looking further I found out that i have a server1.crt. Which expired on the same date

In the config i see this:
ca /etc/openvpn/keys/SPH/ca.crt
cert /etc/openvpn/keys/SPH/server1.crt
key /etc/openvpn/SPH/files/server1.key

Under /usr/local/easy-rsa/keys/SPH i have:
ca.crt,key,pem
server1.key,crt,csr
ta.key

I'm a little confused. On the client i have the ca.cert, which gave me expired errors. After a renew it's stopped giving errors, instead it's timeout after 60 sec.

Should I create a new server1.crt too?

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Ca.crt expired

Post by maikcat » Tue Nov 10, 2015 7:37 am

you should distribute the newly created ca to ALL your clients/server.

also if there are any expired client/server certs they also need to be replaced.

the only gains you have by signing a new ca.crt with the previous ca key is that
any client certs which where signed by the old ca are still valid if they are not expired of course.

so

if you had created ca and all client configs at once creating a new ca signed using the olds one key
is almost useless because you still need to recreate all the certs again....

also keep in mind that server sends it own ca to client and vice versa.

Michael

abig76
OpenVpn Newbie
Posts: 2
Joined: Mon Nov 09, 2015 1:29 pm

Re: Ca.crt expired

Post by abig76 » Wed Nov 11, 2015 7:58 am

Okay, i generated new certs for every expired one. I also created a a new test user. Lets call it client1.

Code: Select all

openssl verify -CAfile ca.crt client1.crt 
it gives me client1.crt: OK

However after trying connect from a client I get: SSL_GET_SERVER_CERTIFICATE certificaty verify failed

Code: Select all

openssl verify -CAfile ca.crt  server1.crt
server1.crt: OK


After copying the same keys to my other server the verify command give me

Code: Select all

error 7 at 1 depth lookup:certificate signature failure 

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Ca.crt expired

Post by maikcat » Fri Nov 13, 2015 1:11 pm

ca.crt is the new or the old (expired) ca?

did you also copied the new ca to your clients?

Michael.

borepstein
OpenVpn Newbie
Posts: 2
Joined: Sun Jul 05, 2020 5:22 pm

Re: Ca.crt expired

Post by borepstein » Sun Jul 05, 2020 5:24 pm

This is a very interesting discussion.

What I also find interesting is that, while dates are mentioned in client .crt files, the server (ca.crt) one does not seem to have easily readable date info in it. Is there a way to tell what its expiration date is?

borepstein
OpenVpn Newbie
Posts: 2
Joined: Sun Jul 05, 2020 5:22 pm

Re: Ca.crt expired

Post by borepstein » Sun Jul 05, 2020 6:22 pm

openssl x509 -in ca.crt -dates -noout

This is the command. Source:

https://sourceforge.net/p/openvpn/mailm ... /31906542/

Post Reply