CA Management - how to customise expiration down from 10 years

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
mmillernz
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 16, 2021 10:52 pm

CA Management - how to customise expiration down from 10 years

Post by mmillernz » Tue Aug 10, 2021 12:02 am

Hi,

I'm using OpenVPN AS v2.9.3.

I've been asked to REDUCE the VPN certificate validity from 10 years to 6 months (185 days) to force users to return laptops back to site to get new keys deployed, ensuring we can also run important maintenance tasks at the same time.

In new version of OpenVPN AS v2.9, I can now see the Configuration->CA Management page, and there is an option to "Create New CA", which allows us to specify a signing algorithm, but not specify a smaller lifetime. (I'm aware of the irony that this feature appears to be the opposite of what I want - making it LESS LIKELY that certs will expire for users!)

Is there any configuration file behind the scenes we can edit to force the new certs to be generated with a smaller timescale? I assumed easyrsa would be running behind the scenes, and looked for a "vars" file but haven't found it or easyrsa.

Any help would be greatly appreciated.

Thanks, Michael.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: CA Management - how to customise expiration down from 10 years

Post by openvpn_inc » Tue Aug 10, 2021 8:34 am

Hello mmillernz,

That is indeed quite the opposite of what we're trying to solve here. However, future further refinement of settings in term of certificate lifetime is planned for later releases.

At the moment, it's not possible. It's not running EasyRSA. AS is in control of this. And it doesn't have the setting for what you want at this time.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

mmillernz
OpenVpn Newbie
Posts: 2
Joined: Wed Jun 16, 2021 10:52 pm

Re: CA Management - how to customise expiration down from 10 years

Post by mmillernz » Wed Aug 11, 2021 9:03 pm

Thanks for the answer. I appreciate the quick response! Cheers, Michael.

User avatar
vnpenguin
OpenVpn Newbie
Posts: 14
Joined: Sun Dec 06, 2015 7:12 am
Location: Belgium

Re: CA Management - how to customise expiration down from 10 years

Post by vnpenguin » Fri Nov 12, 2021 8:00 am

With only two variables "CA_EXPIRE" & "KEY_EXPIRE" for easy-rsa (2.0) I can create user profile with any expiration duration. Yes, all my users have KEY_EXPIRE=365 days max, never 10 years!

Why AS does not support such simple feature?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: CA Management - how to customise expiration down from 10 years

Post by openvpn_inc » Tue Nov 16, 2021 4:16 pm

Hello vnpenguin,

Access Server does support setting a custom expiration date for user certificates and CA certificates. By default it's 10 years. And it has to be set at the beginning. The functionality we implemented to auto-renew CAs is designed to solve the problem where certificates started to expire and were causing problems for users. So we wanted to make things valid longer or rather refresh them regularly to avoid expiration situations.

However what was asked for by mmillernz was the exact opposite use case, where he wants to limit to shorter times on purpose. Personally I feel that would cause more problems than solve. If the validity period is very short, things would just start breaking a lot sooner for people. One year in and you have to replace CA certificate and client certificates, using your example. That's not what people expect when deploying a solution that takes away the trouble of dealing with certificates. Generally people want the product to 'just work' and are happy with certificates that do not expire too quickly.

I also personally feel that if shorter certificate lifetimes are to succeed with OpenVPN, then OpenVPN or at least the client program needs to have some way to refresh these automatically somehow. So that users are not bogged down with having to import new certificates once a year.

If you feel differently, then the good news is that you can do so with OpenVPN open source community edition - it gives you full control of your certificates. Access Server even has the option to specify how long certificates should be valid for using the command line. You want it to be valid for 1 year? Using sa init with an expiration time set to 1 year and you have same thing you just described. But it has to be done from the start. And the CA refresh automation occurs once a year. But of course then you have to reimport profiles once a year. For all clients. Because the CA would expire too, for all clients simultaneously. There's a cost to limiting the validity period. There's also the option of using Access Server with an external PKI, meaning Access Server lets you manage your own CA and client certificates outside of Access Server's management systems. Then you can use EasyRSA and use that to manage it all. So to say that Access Server doesn't support it I think is not right, but the question is more if it makes sense to do that.

As for Access Server the focus is more on making sure things work sensibly and don't require a reinstall or reimport every year or month to keep working. I hope the above all makes sense to you.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply