Hi,
On 03/03/16 22:04, ValdikSS wrote:
Hello everyone,
I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit
one without a hassle for a clients.
From a X.509 perspective it shouldn't be a problem, and I already have new CA
self-signed and cross-signed with old CA, it should work just fine.
While there's no problem authenticating clients from both old and new CA using
single instance (multiple certificates in --ca are supported, this information
is
documented), I need to send two certificates from OpenVPN server: server
certificate, which is signed by new CA, and cross-signed new CA with old CA.
This way
it should work for clients either with old or new CA in configuration files.
I can't manage server to send more than one certificate to the client. It seems
that multiple certificates in --cert directive are supported only on client
side. Am I missing something, is there a way to push multiple certificates from
server? If there isn't a way currently, are there any protocol limitations
which allows only one certificate to be sent?
it's possible to send a stacked CA certificate (i.e. server certificate
and intermediate CA cert) from server to the client. We use this in
production, and it is done by simply stacking (cat'ing) the server cert
and intermediary CA cert file into a single pem file. The intermediary
CA is verified using the client-side ca.crt file and the server cert is
signed by the intermediary CA.
I'm not sure what would happen if you stick two CA certs into the file,
however.
If this does not work: when looking thru the openssl s_server code I see
a -dcert option which does something similar - looks like it would be
trivial to add to OpenVPN.
JM2CW,
JJK