Server Certificate [server.crt - not ca.crt] Has Expired

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
luke90275
OpenVpn Newbie
Posts: 1
Joined: Fri Sep 02, 2022 4:55 pm

Server Certificate [server.crt - not ca.crt] Has Expired

Post by luke90275 » Fri Sep 02, 2022 5:03 pm

ORIGINAL TITLE: Certificate Has Expired

Hi,

So my vpn's ca certificate has expired. When a client tries to connect to the server, the client recieves the following error message: 'VERIFY ERROR: depth=0, error=certificate has expired'. I have attempted to renew the certifcate using:

Code: Select all

openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key
openssl verify -CAfile ca_new.crt prev_client.crt
prev_client.crt: OK
Then I replace the current ca with ca_new in my server.conf. After restarting the server and recreating the client using the new ca_new.crt, I still get the same error that the certificate has expired. I am not sure what exactly is wrong, as openssl verifies that my new certificate should work with the prev_client.crt. Am I missing a step maybe?

Any help would be greatly appreciated. Thanks in advance!

EDIT: I believe my CA certificate is working just fine. How can I go about creating a server certificate (server.crt) which still allows the current clients to connect to?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Server Certificate [server.crt - not ca.crt] Has Expired

Post by openvpn_inc » Sat Sep 03, 2022 2:01 am

Hi Luke,

You had posted this in the OpenVPN Access Server forum, but I moved it here because:
luke90275 wrote:
Fri Sep 02, 2022 5:03 pm
So my vpn's ca certificate has expired. When a client tries to connect to the server, the client recieves the following error message: 'VERIFY ERROR: depth=0, error=certificate has expired'. I have attempted to renew the certifcate using:

Code: Select all

openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.key
openssl verify -CAfile ca_new.crt prev_client.crt
prev_client.crt: OK
Then I replace the current ca with ca_new in my server.conf.
Access Server does not use a "server.conf" file.
luke90275 wrote:
Fri Sep 02, 2022 5:03 pm
After restarting the server and recreating the client using the new ca_new.crt, I still get the same error that the certificate has expired. I am not sure what exactly is wrong, as openssl verifies that my new certificate should work with the prev_client.crt. Am I missing a step maybe?
More than one step. First, you did not say what you are using to manage your public key infrastructure (PKI), is it easy-rsa? (If so this belonged in the subforum.)

Second, you could show us the results of openssl(1) x509(1) commands which show the current status of your CA, server and client certificates. Sorry, I can't remember the exact commands, but I gave you the man page references. (I can't remember them because I've been pampered and spoiled by OpenVPN Access Server, which manages the PKI for you.)
luke90275 wrote:
Fri Sep 02, 2022 5:03 pm
EDIT: I believe my CA certificate is working just fine. How can I go about creating a server certificate (server.crt) which still allows the current clients to connect to?
Third, you might not be understanding the whole concept of SSL/TLS PKI. When the CA expires, anything signed by that CA is also expired. That would include the server[s] and clients. What you are asking is not possible.

That said, recent Access Server versions (2.9 and beyond) work around this by automatically maintaining second and subsequent CA certificates. I believe it is one new CA each year. Each issued client certificate is signed by all valid CAs at the time of issuance, and all of those certificates will be concatenated into a single

Code: Select all

<ca>
...
</ca>
inline block in the client profile. So it will survive the expiration of the oldest CA. But there too, it cannot survive the expiration of the newest CA at the time of issuance. When all signing CAs are expired, you need a new client certificate.

regards, rob0
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply