CA and server certificate expired

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
piotrr
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 14, 2023 8:14 am

CA and server certificate expired

Post by piotrr » Tue Feb 14, 2023 8:32 am

Hi,
It's been 10 years since OpenVPN went live on the server. I have more than 100 users and the main CA and server cert have expired. Is there any way to extend them without sending out a new configuration to users?
My server systemdo Debian 9.13

Code: Select all

dev tun0
local XX.XXX.XXX.XXX
tun-mtu 1500
inactive 7200
server 1XX.XX.0.0 255.255.128.0
port 1194
proto udp
management localhost 7505
comp-lzo
crl-verify /etc/openvpn/pki_users/keys/crl.pem
dh /etc/openvpn/pki_users/keys/dh2048.pem
ca /etc/openvpn/pki_users/keys/ca.crt
cert /etc/openvpn/pki_users/keys/router.crt
key /etc/openvpn/pki_users/keys/router.key

plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/users_ldap.conf

log-append /var/log/openvpn/openvpn-users.log

Log OpenVPN Client
Tue Feb 14 09:19:20 2023 VERIFY ERROR: depth=1, error=certificate has expired: C=PL, ST=Mazowieckie, L=Warszawa, O=MYCOMPANY, OU=IT, CN=MYCOMPANY CA, emailAddress=admins@MYCOMPANY.pl
Tue Feb 14 09:19:20 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Feb 14 09:19:20 2023 TLS_ERROR: BIO read tls_read_plaintext error
Tue Feb 14 09:19:20 2023 TLS Error: TLS object -> incoming plaintext read error
Tue Feb 14 09:19:20 2023 TLS Error: TLS handshake failed


Serwer CA

Code: Select all

 openssl x509 -noout -text -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d6:06:9c:28:6a:c9:b9:e8
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = MYCOMPANY CA, emailAddress = admins@MYCOMPANY.pl
        Validity
            Not Before: Feb 13 10:49:36 2013 GMT
            Not After : Feb 11 10:49:36 2023 GMT
        Subject: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = MYCOMPANY CA, emailAddress = admins@MYCOMPANY.pl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e1:29:97:a7:df:68:02:4b:9f:1b:29:9a:e7:e9:
Serwer Cert

Code: Select all

openssl x509 -noout -text -in router.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = MYCOMPANY CA, emailAddress = admins@MYCOMPANY.pl
        Validity
            Not Before: Feb 13 10:49:55 2013 GMT
            Not After : Feb 11 10:49:55 2023 GMT
        Subject: C = PL, ST = Mazowieckie, L = Warszawa, O = MYCOMPANY, OU = IT, CN = router, emailAddress = admins@MYCOMPANY.pl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:e5:56:a1:60:37:12:96:f6:43:59:01:ce:cd:
I tried these links
viewtopic.php?t=18671

Code: Select all

openssl x509 -in ca.crt -days 3650 -out ca_new.crt -signkey ca.key
and

Code: Select all

openssl x509 -in router.crt -days 3650 -out router_new.crt -signkey router.key

Do you have any ideas? Has anyone had success with this?

Thank you for your help

piotrr
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 14, 2023 8:14 am

Re: CA and server certificate expired

Post by piotrr » Tue Feb 14, 2023 10:25 am

I was able to do it. The only problem I have to change the CA on the user stations.
Is it possible to copy the file while connecting openvpn to the user station ?

Post Reply