I have had a MikroTik router running as OpenVPN server for around 6 years now. But in an attempt to move from one certificate database to another I found out that the CA that was created 6 years ago was not created correctly as it has no key usage set. This means that the CA is in a sense now usable as a CA, which then has gotten me to want to replace the CA with a new CA.
The problem is that I still have over a hundred users that are bound to the old CA, and most of their certificates still last another two years. So I have been trying to figure out the best way to change the CA over to the new one, while still supporting the current users.
Of course it is not made any easier with the fact that the MikroTik implementation of OpenVPN is rather lacking and limited.
So can anyone maybe tell me if it is even possible for OpenVPN to handle multiple CAs at the same time?
Or is there something fundamental about certificates that I have totally misunderstood? Like should I make my new CA signed by the old CA so they are in the same chain? I am not sure how that would work when the old CA then expire.
New CA but with old CA support
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: New CA but with old CA support
Yes, via stacked certificates:Deantwo wrote:if it is even possible for OpenVPN to handle multiple CAs at the same time?
https://community.openvpn.net/openvpn/w ... ate_Chains
There are not many people who understand everything about PKIs, it is a hugely complicated field.Deantwo wrote:is there something fundamental about certificates that I have totally misunderstood?
You could run a linux server behind the router.Deantwo wrote:Of course it is not made any easier with the fact that the MikroTik implementation of OpenVPN is rather lacking and limited
I would create a new PKI from scratch, test it for all your specific needs and then roll it out as a permanent replacement for your old PKI.
- Deantwo
- OpenVpn Newbie
- Posts: 8
- Joined: Thu Aug 18, 2016 6:52 am
Re: New CA but with old CA support
Makes me feel a little better, thanks. ^^;TinCanTech wrote:There are not many people who understand everything about PKIs, it is a hugely complicated field.Deantwo wrote:is there something fundamental about certificates that I have totally misunderstood?
That is interesting, thanks!TinCanTech wrote:Yes, via stacked certificates:Deantwo wrote:if it is even possible for OpenVPN to handle multiple CAs at the same time?
https://community.openvpn.net/openvpn/w ... ate_Chains
Sadly MikroTik does not support the use of stacked certificates like this, since the certificate has to be imported into the router's certificate store which then separate them.
Would it be possible to do it with a certificate chain? I mean if the new certificate is signed by the old CA?
From what I understand from that page you linked, I will likely hit the same issue?
Yeah, have been considering finding some OpenVPN server software and setting up an actual server.TinCanTech wrote:You could run a linux server behind the router.Deantwo wrote:Of course it is not made any easier with the fact that the MikroTik implementation of OpenVPN is rather lacking and limited
But creating it from scratch would make me have to replace ALL the certificates and configurations of existing users. I am not saying I wouldn't love to correct the error in one huge undertaking, but it simply isn't possible.TinCanTech wrote:I would create a new PKI from scratch, test it for all your specific needs and then roll it out as a permanent replacement for your old PKI.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: New CA but with old CA support
As a test solution, run a Linux VM and use git-master/openvpn on your server .. I think it will take you less than a week to realise the benefits.