I run into the 10 years expiration time like others before me. I checked this threadtopic18671.html I succesfully created a ca_new.crt file, but after testing it i receive "certificate has expired" error
Looking further I found out that i have a server1.crt. Which expired on the same date
In the config i see this:
ca /etc/openvpn/keys/SPH/ca.crt
cert /etc/openvpn/keys/SPH/server1.crt
key /etc/openvpn/SPH/files/server1.key
Under /usr/local/easy-rsa/keys/SPH i have:
ca.crt,key,pem
server1.key,crt,csr
ta.key
I'm a little confused. On the client i have the ca.cert, which gave me expired errors. After a renew it's stopped giving errors, instead it's timeout after 60 sec.
Should I create a new server1.crt too?
Ca.crt expired
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: Ca.crt expired
you should distribute the newly created ca to ALL your clients/server.
also if there are any expired client/server certs they also need to be replaced.
the only gains you have by signing a new ca.crt with the previous ca key is that
any client certs which where signed by the old ca are still valid if they are not expired of course.
so
if you had created ca and all client configs at once creating a new ca signed using the olds one key
is almost useless because you still need to recreate all the certs again....
also keep in mind that server sends it own ca to client and vice versa.
Michael
also if there are any expired client/server certs they also need to be replaced.
the only gains you have by signing a new ca.crt with the previous ca key is that
any client certs which where signed by the old ca are still valid if they are not expired of course.
so
if you had created ca and all client configs at once creating a new ca signed using the olds one key
is almost useless because you still need to recreate all the certs again....
also keep in mind that server sends it own ca to client and vice versa.
Michael
-
abig76
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Nov 09, 2015 1:29 pm
Re: Ca.crt expired
Okay, i generated new certs for every expired one. I also created a a new test user. Lets call it client1.
it gives me client1.crt: OK
However after trying connect from a client I get: SSL_GET_SERVER_CERTIFICATE certificaty verify failed
server1.crt: OK
After copying the same keys to my other server the verify command give me
Code: Select all
openssl verify -CAfile ca.crt client1.crt However after trying connect from a client I get: SSL_GET_SERVER_CERTIFICATE certificaty verify failed
Code: Select all
openssl verify -CAfile ca.crt server1.crtAfter copying the same keys to my other server the verify command give me
Code: Select all
error 7 at 1 depth lookup:certificate signature failure -
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
- Contact:
Re: Ca.crt expired
ca.crt is the new or the old (expired) ca?
did you also copied the new ca to your clients?
Michael.
did you also copied the new ca to your clients?
Michael.
-
borepstein
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Jul 05, 2020 5:22 pm
Re: Ca.crt expired
This is a very interesting discussion.
What I also find interesting is that, while dates are mentioned in client .crt files, the server (ca.crt) one does not seem to have easily readable date info in it. Is there a way to tell what its expiration date is?
What I also find interesting is that, while dates are mentioned in client .crt files, the server (ca.crt) one does not seem to have easily readable date info in it. Is there a way to tell what its expiration date is?
-
borepstein
- OpenVpn Newbie
- Posts: 3
- Joined: Sun Jul 05, 2020 5:22 pm
Re: Ca.crt expired
openssl x509 -in ca.crt -dates -noout
This is the command. Source:
https://sourceforge.net/p/openvpn/mailm ... /31906542/
This is the command. Source:
https://sourceforge.net/p/openvpn/mailm ... /31906542/