Expired certs

Scripts to manage certificates or generate config files
Post Reply
mgrant
OpenVPN User
Posts: 21
Joined: Fri Feb 07, 2014 8:19 am

Expired certs

Post by mgrant » Sat Dec 19, 2020 4:34 pm

I've got a small problem. I've got a CA and a bunch of clients certs that are going to expire in a couple years. Unfortunately it's not practical to update the anything in the clients. There's a lot of clients and they are rarely connected and it requires manual intervention to get them to connect.

The clients have a ca.crt, a server.crt, and a client.crt. Both the client and the server.crt depend on the ca.crt. All 3 certs are set to expire in a couple years!

I moved the clocks forward a couple years on a test server and test client to see what could be done. I managed to get the server to ignore the expiration in the client.crt. I also managed to create a new server.crt based on the old server.key and resign it with a new ca.crt based on its original key. My hope was the client would see the new server cert, the key being the same, and seeing it was signed properly would accept it, but no! The ca.crt is also expired!

I couldn't find a way to get the clients to connect after the expiration date. They just complain about the expired server.crt which they have locally, even though the remote server.crt has an updated expiration date. It's only once I manually update their version of the server.crt and ca.crt will they connect.

Is there anything I can do on the server, without modifying anything in the clients, such that they will continue to be able connect using their expired certs they have?

If I could update the certs easily in the client, I would!

User avatar
TinCanTech
Forum Team
Posts: 9750
Joined: Fri Jun 03, 2016 1:17 pm

Re: Expired certs

Post by TinCanTech » Sat Dec 19, 2020 5:04 pm

When your CA expires that is game over anyway.

You may as well bite the bullet and start sorting it out now, while you still have a two year window..

If you do then you may find this helpful:
https://github.com/TinCanTech/easy-tls

mgrant
OpenVPN User
Posts: 21
Joined: Fri Feb 07, 2014 8:19 am

Re: Expired certs

Post by mgrant » Sun Dec 20, 2020 3:33 pm

Ok thanks for confirming that. I was fairly sure I'm screwed here.

Current plan is to write a client-connect script to update as many of the devices that connect as possible before the expiration date.

Post Reply