Support on expired after 10 years server certificate

[7router7]

Hi all.
I am using OpenVPN 2.4.9 on CentOS release 6.10 on server side.
Client side are usually Mikrotik boards, connecting using certificates to get static ip addresses.

After 10 years, server certificate expired
---------------------------------
# cat server.crt.bak
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Validity
Not Before: Jan 2 17:04:12 2014 GMT
Not After : Dec 31 17:04:12 2023 GMT

I need to renew it, without all my 100+ clients to distributed new certificates. I cannot reach them anymore, currently.
If I look at the clients certificates located in keys, I can realize that all of them will expire not before 2025, so I have the needed time to replace them, if I can connect them to the VPN again to gain access to the client configuration page.

It seems that the tool in use is pkitool in this version of OPENVPN.
Is there a way to renew the server certificate without the need to redistribute the configuration to the clients?

Thanks all.

[becm]

If the CA is expired as well (likely on default deployments) there is no way to recover without a full cert chain renewal.

If (for some strange reason) the CA is still valid, the server just needs a new/valid cert signed by this CA.
The CA that's normally shipped to the clients (Issuer: …) is the critical part here.

In default OpenVPN setups:
server: verifies client certs against your local CA
client: verifies server cert against (in most cases the same!) CA (ca.crt file or <ca> data in client config)

Not sure, but the server may also start to reject client certs if their CA is expired!

[7router7]

Hi, thanks for your support.
In mikrotik routers I used to export crt, csr, key files, and import them in a certificate that currently all expires after 2025. It sounds good to me.
My idea is to renew the server certificate based on the current key, to get everything working correctly, and after that, start renewing certificates with 100 years expiration. Is there a way to renew the certificate using the same key on the server side?
am I wrong?

thanks for your priceless support.

[becm]

Reusing a key should be possible but may depend on your tools.
This pkitool for example always wants to regenerate a key for server certs (see 2nd line in server()).
Assuming the clients verify server certs based on the CA, just using a new server key should not be an issue.

Be careful with long cert lifetimes and (old) keys with deprecated cryptography parameters!
Some SSL libraries will (for good reason) reject weak combinations and enforce more restrictions in current/later versions.
See for example CA key size (4k RSA) and signature (SHA256 or better) in OpenSSL 3.x+.

[7router7]

Hi becm,
I generated a new server certificate, and a new key, using previous CA.

Now openvpn succesfully starts, but clients cannot connect.

Server log is the following:

Sun Jan 14 19:57:52 2024 TCP connection established with [AF_INET]82.59.14.XXX:42994
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 TLS: Initial packet from [AF_INET]82.59.14.127:42994, sid=34ac8c72 df064c09
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 VERIFY ERROR: depth=1, error=certificate has expired: C=IT, ST=FG, L=FOGGIA, O=RL, OU=server, CN=XXX.COM, name=server, emailAddress=XXX@GMAIL.COM
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 TLS_ERROR: BIO read tls_read_plaintext error
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 TLS Error: TLS handshake failed
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 14 19:57:52 2024 82.59.14.127:42994 SIGUSR1[soft,tls-error] received, client-instance restarting