On 01/09/15 16:45, Ryan Whelan wrote: > Is it possible to use TLS mode without having to maintain a CA? The > system I'm working with is automated and distributed and coding the > signing of keys means the CA would have to be online at all times. > Something I'd rather not code to protect. the CA does not have to be online all of the time - you just need to hand out certificates at some point. It is just as safe as automatically handing out static keys.
> So, again, can static keys be updated without service interruption? no this is not possible; in order to use new keys (or a new certificate) the connection needs to be reinitiated. This will always cause some service disruption, although it can be very short (~ 4 seconds). Note that in order to use a new server-side certificate you also need to restart a connection, again, with a few seconds disruption. JJK > On Tue, Sep 1, 2015 at 10:37 AM, Steffan Karger <stef...@karger.me> wrote: >> On 1 Sep 2015 07:33, "Ryan Whelan" <rcwhe...@gmail.com> wrote: >>> Is there a way to rekey a static key connection without interrupting >>> traffic? >>> >>> If I can generate and securely distribute new static keys (out of >>> band) on regular intervals, is there a way to make openvpn start using >>> the new keys without dropping traffic? >> Yes, just use TLS mode. That is exactly what is was created for. >> >> -Steffan > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
