Certificate update procedures, what is recommended and what is possible?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
rob-pe1chl
OpenVpn Newbie
Posts: 6
Joined: Sat Oct 09, 2021 6:07 pm

Certificate update procedures, what is recommended and what is possible?

Post by rob-pe1chl » Sat Oct 09, 2021 6:19 pm

About 7 years ago I setup an OpenVPN server and used easy-rsa to setup the certificate structure. It runs on Debian Linux.
This works OK and I have issued about 250 client certificates. I just updated the server to 2.5.4 from the published repository for Debian.

But now I am getting the first complaint about certificates being insecure. The original CA certificate had been generated with an MD5 hash (which was the default back then) and most client certificates are using SHA1 as I modified that in the settings at some time.
Now I have updated the easy-rsa scripts (that had not been done for a long time...) and when I now generate new client certificates they are using SHA256.
Good, that prevents a warning about the client certs, but still my CA cert has MD5 hash and so there is still a warning about that, and it requires an override setting in a recent Android client (as did the SHA1 client cert).

There are still 3 years of lifetime in the CA cert, so I wonder what the best strategy would now be.
Is it possible to generate a new CA cert, sign any new client certs using that from now, and keep the old CA cert available for the existing clients so I can distribute new client certs when convenient? (maybe by just appending the new CA cert to the ca.crt file?)

Or is really the only option to restart from scratch with a new CA cert and re-generate and re-distribute all client certificates and switchover at an agreed upon time when everyone will go offline until the come into action and update their cert?

Likely a lot of users have run into this so a pointer to some FAQ or topic would be welcome.

Post Reply