Menu
▾
▴
Re: [Openvpn-users] Any way to check client ca.crt expiration date
|
From: Jochen B. <Joc...@bi...> - 2025-09-29 07:48:03
|
On 29.09.25 04:18, Leroy Tennison via Openvpn-users wrote: > Other than connecting to the client, finding what ca.crt they > use and running openssl x509 -in<client ca.crt> -noout -enddate? a) Just to make sure: The *clients* need the cert of the CA issuing the *server* certs, because *that's* the cert they're checking with it. b) Your OpenSSL command will output the data for the *first* cert found in the file. Files - or, for that matter, CApath directories - accepted by OpenVPN can contain *several* CA certs. (In the case of a PKI with intermediate CAs, they *should* have the entire chains from root to server-cert-issuing intermediate.) c) I still remember the time when, while we evaluated a new platform, we found that OpenVPN would also refuse a CA with an expired *CRL*, so you might want to check that as well - *if* you're rolling out CRLs to the clients. d) Having that said, I'm not aware of a method to doublecheck any of that on the *server* side ... > My concern is accidentally overlooking a client. You might be able to change the roll-out process so that the new serverCA file and new client certs with some marker (say, OU=ImAlreadyDone) will be installed at the same time, then you could recognize unprepared clients by the missing marker as they auth ... ? (Still doesn't catch *dormant* clients, though ...) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH |
