On 09.03.2014 14:39, Michael Post wrote:
the only certificate that is still valid is your self signed ca certificate;last year i created my keys, certs and so on with the following steps for an openvpn server:
##### Serverside ######## openssl req -new -x509 -newkey rsa:2048 -keyout ssl_priv.pem -out ca_cert.pem -days 3650 -config ./openssl.conf openssl x509 -in ca_cert.pem -out ca_cert.crt
ca_cert.pem and ca_cert.crt are the same, both are in PEM format; openssl x509 -inform PEM -in ca_cert.pem -outform DER -out ca_cert.crt would convert it from PEM to DER format;
your openssl.cnf has the setting, for how many days the certificates are valid; theopenssl genrsa -out serverkey.pem -aes128 2048 -days 3650 -config ./openssl.conf openssl req -new -key serverkey.pem -out req.pem -nodes -config ./openssl.conf openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in req.pem -notext - -out servercert.pem -config ./openssl.conf
-days 3650 from above's key generation step is ignored;
why do you add the -days option, when generating the private key or cert. request and not when signing the request?And today my certificate is invalid, cause due an "error" the servercert.pem is only valid 365 days. It should be 3650 days. ##### Serverside created, but copied to every client ######## With the following commands i created the client certificates and keys openssl req -new -keyout clients/client-key-XXXXX.pem -out clients/client-req-XXX.pem -days 365 -config ./openssl.conf
not really; every certificate got invalid; so every certificate must be renwed;openssl ca -keyfile ssl_priv.pem -cert ca_cert.pem -in clients/client-req-XXX.pem -notext -out client-cert-XXX.pem -outdir clients -config ./openssl.conf mv client-*.pem clients/ The Client certificates are also invalid due the same lack of my scripts. The clients are not accessable per remote maintenance cause they are umts clients with non static ip. Is there any possibility to extend the certificates, keys and so on server-side WITHOUT any change at client-side?
you can use the same private key and certificate request for this; but without any change at client-side it will not work; Greetings, Walter
smime.p7s
Description: S/MIME Cryptographic Signature