Menu
▾
▴
Re: [Openvpn-users] what to do in case of openvpn CA expiration?
|
From: Dmitry M. <dm...@be...> - 2014-04-12 09:05:29
|
09.04.2014 17:55, Timothe Litt пишет: > Since you'll document your experience, perhaps YOU can contribute > instructions for the next person ! > OK, I did some tests and here is what I'm going do: 1. my openvpn configs and easyrsa are located in /etc/openvpn, so I want to copy current ca.crt and ca.key , to let's say, caold.crt and caold.key. 2. then I want to create new CA with source ./vars ./build-ca 3. and merge two files as cd keys cp ca.crt camix.crt cat caold.crt>>camix.crt 4. and write this camix.crt at openvpn servers configs (we have 3 servers :-) ) , so 5. new certificates will be signed by new CA, but old certificates will be still available 6. our policy force us to renew user's certificate every year, so users will receive this mixed camix.crt as ca.crt with new key and crt. 7. after all users will receive new certificates , i.e. after 1 year, I'll generate new server key and point servers to ca.crt I tested this process by creating new CA with living time just 1 day and creating new user an server certificates and still be able to connect to server with old certificate as user with new certificate and vice versa. If I didn't miss something- that's all. There is chance that my process is wrong just because I'm still not very happy with my level of certificate knowledge. Thank you again for advice to create new CA! |