Easy How-To for expired client/server certs

Tcan · Post by **Tcan** » Thu Jul 27, 2023 12:58 am

I did a lot of hunting and testing for how to do this. Easy and obvious once done but some old info referred to older versions, some assumed you understood results but it's nervy to run a cmd that destroys your old crt without really being sure it's doing what you think.
This is for client or server certs, not the CA cert.
Trying to connect will tell you if cert on either end is expired, but you want to know in advance.
Open the crt (I'm doing this in windows) and it says when it will expire.
Or in EasyRSA (admin cmd prompt, get to easy-rsa dir, run Easyrsa-start.bat):
This is if you're on the system that created the certs.
First check version "easyrsa version", be at 3.1.1 or higher.
Run "EasyRSA show-expire" shows ones that will expire within 90 days.
Ones that are about to expire (within 30 days) you'd want to renew.
"EasyRSA renew [name]" just the name, don't need the .crt.
Confirm with "yes" and enter the EasyRSA password.
You now have a new cert in pki\issued, same name as before.
Copy it to the client Openvpn\config folder on the client to replace the old.
Or copy to the Openvpn\config-auto folder on the server to replace the old.
On the server restart the OpenVPN service.
Yes you have to physically replace the crt file on one or both systems. Can you do that remotely while you're connected by OpenVPN (before it expired)? Don't know, didn't try that while I had certs pending expiration. Worth trying.
Whether you need to do client and server depends. If you created a server for one client you probably made both at the same time, so both expire. If you created a server then set up clients as needed later then maybe the server expires first, or maybe past that time it's clients that start expiring.
That's all that's required but you might want to do some clean up.
Back at EasyRSA run "easyrsa revoke-renewed [name]". That revokes the old copy and gets rid of the backup copy that EasyRSA made.
Also if you're maintaining and publishing your CRL (cert revoked list) you'll already know how to update it. Don't forget to update for the new version of the renewed cert.
If there's any revisions to this you think would help, state them and I'll edit.