Menu
▾
▴
Re: [Openvpn-users] Any way to check client ca.crt expiration date
|
From: Jochen B. <Joc...@bi...> - 2025-09-30 11:08:47
|
On 30.09.25 04:53, Leroy Tennison via Openvpn-users wrote: > Third point, are you suggesting that we use something different in > the new ca.crt to distinguish it from the old one and use > > On Monday, September 29, 2025 at 02:49:32 AM CDT, Jochen Bern <joc...@bi...> wrote: >> You might be able to change the roll-out process so that the new >> serverCA file and new client certs with some marker (say, >> OU=ImAlreadyDone) will be installed at the same time, then you could >> recognize unprepared clients by the missing marker as they auth ... ? No, I'm trying to suggest a mechanism that might allow you to see *on the server side* which clients still don't have the updated CA file, by having a mark in the *client* certs. In the OpenVPN default config, the "identity" of a cert-authenticated client essentially is the cert's subject *CN*, but every (re)auth gets logged with the full *DN*: > Sep 7 04:06:33 [...] VERIFY OK: depth=0, CN=Jochen Bern, OU=[...], > O=Binect GmbH, L=Weiterstadt, ST=Hessen, C=Deutschland, > emailAddress=Joc...@bi... Now suppose that whenever a client gets the new CA certs file installed, you *also* replace the client cert with one where the DN contains an additional "OU=YupIAlreadyGotIt". (And if you have clients that need a new cert but can *not* receive the new CA certs file on the same occasion, they still get one *without* that extra marker.) Then you can tell *from the server log* which (active) clients still lack the config update. (... I haven't been using EasyRSA for long enough that I can't give you instructions on *how* exactly to do all that, though. Matter of fact, with that regime, the same info *should* IMHO also be available from the CAs' index.txt files ...) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH |
