Hello,
Our server currently uses AlmaLinux 8.9 and OpenVPN 2.5.3. The client side is also using OpenVPN 2.5.3.
The CA is currently valid for 25 years.
openssl x509 -noout -subject -dates -in /etc/xxx/ca.crt
I ran the above command and the expiration date was July 28, 2047 as shown below.
subject=CN = test
notBefore=Jul 3 xx:xx:xx 2022 GMT
notAfter=Jun 28 xx:xx:xx 2047 GMT
When this CA is renewed by the following commands, will the client certificates signed with the CA before renewal no longer be usable?
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server_crt nopass
./easyrsa build-client-full client_crt nopass
We have many clients, so it is not feasible to distribute all client certificates at once after the CA is renewed.
Is there any way to enable the client certificates issued by the new CA while keeping the client certificates issued by the current CA valid?
We are using the open source version of OpenVPN, not OpenVPN Access Server.For OpenVPN Client, we have built a special mechanism so that software updates are relatively easy.
According to the following article, OpenVPN Access Server addresses this challenge by using cross-signing to allow connections from both old CAs and client certificates generated by new CAs.
https://openvpn.net/vpn-server-resource ... ss-server/
Is cross-signing possible with the open source version of OpenVPN, Easy-RSA or OpenSSL?
Kind Regards,
Question about operations when creating a new CA
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
qteam
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Dec 26, 2022 4:34 am