CA and Server certificates expired

Scripts to manage certificates or generate config files
Post Reply
OpenVpn Newbie
Posts: 2
Joined: Mon Jun 29, 2020 5:22 am

CA and Server certificates expired

Post by baldox » Mon Jun 29, 2020 11:26 am

Hi all,

I am in same conditions of this topic viewtopic.php?t=18671 but following the thread we are not able to establish the connectivity indeed.

So currently we are in the condition where:
- all CA.cert at client side and server side are expired
- the server.cert is expired

tried to run:

Code: Select all

openssl x509 -in caOld.crt -days 36500 -out caNew.crt -signkey caOld.key
openssl verify -CAfile caNew.crt test.crt
test.crt: OK
and then replacing this at the server side we are still not able to establsih the connection.

To generate the new server certificate we used:

Code: Select all

openssl genrsa -out serverNew.key 2048
openssl req -new -key serverNew.key -out serverNew.csr
openssl x509 -req -in serverNew.csr -CA caNew.crt -CAkey caOld.key -CAcreateserial -out serverNew.crt -days 500 -sha256
Can you help me understanding how to proceed to avoid the client CA update and if we are wrong in any of the above command?

Other question, adding this line at the server side

Code: Select all

tls-cipher "DEFAULT:@SECLEVEL=0"
Can we skip the CA authentication in some how at the server side?

Thank you in advance for your support!

OpenVPN Power User
Posts: 170
Joined: Tue May 01, 2012 9:30 pm

Re: CA and Server certificates expired

Post by 300000 » Mon Jun 29, 2020 10:43 pm

you can make connection without certificate using static key , but you need to update all client config so it can connec to server

create a static key on openssl or whatever software you want to use after that add this line on both server and client . remove all referent all certificate file from server and client

"secret static.key" ... ini-howto/

you are enjoy 10 years openvpn connection it is now where it strike you when you create certificate. but not fully understand how certificate work that is why now all you need is do it again from the time when you create certificate make sure it is 100 years expired not 10 years.

Post Reply