OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Ca.crt expired

https://forums.openvpn.net/viewtopic.php?t=20169

Page 1 of 1

Ca.crt expired

Posted: Mon Nov 09, 2015 3:16 pm
by abig76
I run into the 10 years expiration time like others before me. I checked this threadtopic18671.html I succesfully created a ca_new.crt file, but after testing it i receive "certificate has expired" error


Looking further I found out that i have a server1.crt. Which expired on the same date

In the config i see this:
ca /etc/openvpn/keys/SPH/ca.crt
cert /etc/openvpn/keys/SPH/server1.crt
key /etc/openvpn/SPH/files/server1.key

Under /usr/local/easy-rsa/keys/SPH i have:
ca.crt,key,pem
server1.key,crt,csr
ta.key

I'm a little confused. On the client i have the ca.cert, which gave me expired errors. After a renew it's stopped giving errors, instead it's timeout after 60 sec.

Should I create a new server1.crt too?

Re: Ca.crt expired

Posted: Tue Nov 10, 2015 7:37 am
by maikcat
you should distribute the newly created ca to ALL your clients/server.

also if there are any expired client/server certs they also need to be replaced.

the only gains you have by signing a new ca.crt with the previous ca key is that
any client certs which where signed by the old ca are still valid if they are not expired of course.

so

if you had created ca and all client configs at once creating a new ca signed using the olds one key
is almost useless because you still need to recreate all the certs again....

also keep in mind that server sends it own ca to client and vice versa.

Michael

Re: Ca.crt expired

Posted: Wed Nov 11, 2015 7:58 am
by abig76
Okay, i generated new certs for every expired one. I also created a a new test user. Lets call it client1.

Code: Select all

openssl verify -CAfile ca.crt client1.crt
it gives me client1.crt: OK

However after trying connect from a client I get: SSL_GET_SERVER_CERTIFICATE certificaty verify failed

Code: Select all

openssl verify -CAfile ca.crt  server1.crt
server1.crt: OK


After copying the same keys to my other server the verify command give me

Code: Select all

error 7 at 1 depth lookup:certificate signature failure

Re: Ca.crt expired

Posted: Fri Nov 13, 2015 1:11 pm
by maikcat
ca.crt is the new or the old (expired) ca?

did you also copied the new ca to your clients?

Michael.

Re: Ca.crt expired

Posted: Sun Jul 05, 2020 5:24 pm
by borepstein
This is a very interesting discussion.

What I also find interesting is that, while dates are mentioned in client .crt files, the server (ca.crt) one does not seem to have easily readable date info in it. Is there a way to tell what its expiration date is?

Re: Ca.crt expired

Posted: Sun Jul 05, 2020 6:22 pm
by borepstein
openssl x509 -in ca.crt -dates -noout

This is the command. Source:

https://sourceforge.net/p/openvpn/mailm ... /31906542/
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/