What would be really nice is high level provisioning like
https://www.microsoft.com/en-us/download/details.aspx?id=54971
On Oct 29, 2017 7:17 AM, "Jason Haar" <jason_h...@trimble.com> wrote:
> Hi there
>
> Best practice would be to routinely rotate secrets, to mitigate
> configuration misuse/loss, etc.
>
> Due to CAs, certificates already support that concept,
> but tls-auth/tls-auth do not.
>
> So wouldn't it be a good idea to allow tls-auth/tls-crypt to contain
> multiple keys, so that the key could be rotated without an outage (really
> like a "major upgrade"). i.e.
>
> 1. replace server key with one containing old + new
> 2. replace client config, replacing old key with new one
> 3. wait weeks/months (probably) until you know all clients are reconfigured
> 4. replace server key with just the new one
> 5. rotation is now complete
>
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
