Re: iked with certificate authentication

Fri, 14 Nov 2025 18:13:31 -0800 

On Fri, Nov 14, 2025 at 11:29:46PM +0100, Theo Buehler wrote:
> On Fri, Nov 14, 2025 at 04:56:34PM -0500, Christopher Sean Hilton wrote:
> > On Fri, Nov 14, 2025 at 04:23:21PM -0500, Chris Hilton wrote:
> > > I have a pair of servers, both running OpenBSD 7.6 that have a shared 
> > > ikev2 vpn via
> > > iked. This is working great in fact it's working better than I expect it 
> > > to. I've noticed
> > > two issues:
> > > 
> > > * The certificates in my VPN expired about a month ago but the VPN keeps 
> > > renegotiating. I
> > >   stopped iked on one side for about an hour today and after I restarted 
> > > it, the VPN had no
> > >   trouble restarting.
> > >   
> > > * Running `ikectl ca my-vpn-ca certificate my-host create` throws an 
> > > error indicating that
> > >   the certificate already exists. In fact it does but the certificate 
> > > that it cites is the
> > >   expired one.
> > >   
> > > Please forgive my question if these two issues have been addressed since 
> > > OpenBSD 7.6 became
> > > stale.
> > > 
> > > 
> > 
> > 
> > To follow-up with the actual error message:
> > 
> >     ERROR:There is already a certificate for /C=US/ST=...
> >     The matching entry has the following details
> >     Type      :Valid
> >     Expires on    :250920224627Z
> >     Serial Number :04
> > 
> > Note well that when assume that the date give is seconds since 01/01/1970 
> > and I do this:
> > 
> >      $ date -r 250920224627
> >      Sat May  7 02:23:47 EDT 9921
> > 
> > I'm assuming that I'm missing something on the date format?
> 
> UTCTime has formt YYMMDDHHMMSSZ, expired on Sep 20, 2025, at 22:46:27 UTC
> https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.5.1

My bad there although in my defense I'd have to say that I'm no longer used to 
seeing
2-digit year fields. Sadly, that brings up another, worse question. If the 
software knows
the certificate expired 2 months ago, why won't it let me re-issue it?

-- 
Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

Reply via email to