OpenVPN Support Forum

became available version of the client 2,4,6. on it produces an error: "md certificates too weak"
Tell me what to do about it.

You need to create a new PKI.

https://github.com/OpenVPN/easy-rsa/releases

You should get stronger certificates. The MD5 signed certificates are so weak it is a security risk. We've given people a very long time to warn them about this and to migrate away to a proper implementation, but now we're reaching a point where we're protecting people from insecure connections.

What actions should I take to do this?
Creating a new PKI implies a new server?
Can I support old clients with md5 certificates and a new pki?

a_roman wrote: ↑

Mon Sep 03, 2018 1:50 pm

What actions should I take to do this?

Read the EasyRSA help.

a_roman wrote: ↑

Mon Sep 03, 2018 1:50 pm

Creating a new PKI implies a new server?

No .. a new PKI is new CA, certificates and keys of the current server and all clients.

a_roman wrote: ↑

Mon Sep 03, 2018 1:50 pm

Can I support old clients with md5 certificates and a new pki?

No! and you don't want to either.

Note:

novaflash wrote: ↑

Mon Sep 03, 2018 1:38 pm

The MD5 signed certificates are so weak it is a security risk. We've given people a very long time to warn them about this and to migrate away to a proper implementation, but now we're reaching a point where we're protecting people from insecure connections.

You have had enough time.

You can still use MD5 but you may as well not use a VPN at all if you do because you will have NO security and be open to attack.

And another question. Are there any dependencies when updating the release from 14 to 18?

a_roman wrote: ↑

Mon Sep 03, 2018 2:00 pm

release from 14 to 18

of what ?

My mistake. I'm sorry. Upgrade Ubuntu Linux 14 to 18.

I presume you mean upgrade Linux 4.14 to 4.18 ..

Or maybe .. you mean Ubuntu 14.04 to 18.04

I don't think there are any complicated dependencies related to Openvpn.

You may find these repos more upto date:
https://community.openvpn.net/openvpn/w ... twareRepos

I mean from 14.04 to 18.04.

Our Openvpn is used under the control of webmin. Can I create through it another CA next to the old one?
And then gradually transfer the old customers to a new СA?
Is it possible to use the old configuration parameters from /openvpn-ssl.cnf?
Will two CAs work simultaneously??

a_roman wrote: ↑

Tue Sep 04, 2018 8:47 am

Our Openvpn is used under the control of webmin

You still use EasyRSA and then upload the files, taking the webmin out of the way. (Should work but may not)

a_roman wrote: ↑

Tue Sep 04, 2018 8:47 am

Can I create through it another CA next to the old one?
And then gradually transfer the old customers to a new СA?

Yes. You have customers then you should know and understand this by now!

a_roman wrote: ↑

Tue Sep 04, 2018 8:47 am

Is it possible to use the old configuration parameters from /openvpn-ssl.cnf?

I don't know but probably not. Because that would be with your webmin and that is out of date.

a_roman wrote: ↑

Tue Sep 04, 2018 8:47 am

Will two CAs work simultaneously??

You can stack them but the MD5 certs will still be rejected because of security.

If you want to contact me privately : tincanteksup <at> gmail