Or, make a new ca.crt file with both the old and new ca certs, no cross-signing required. Deploy to server, then to clients, so that both server and clients trust both CA's. Then update the client certs one by one to the new CA. Then update the server cert to the new CA. Then deploy a ca.crt with only the new CA cert.
This is tested, at least once, by me, because it's exactly what I did after our root CA key got corrupted and was about to expire. (word to the wise: one of the dangers of storing a root CA key on offline media for 10 years is that sometimes offline media doesn't last for 10 years. I really should have just printed it out and put it in a safe as backup) -Joe On Thu, Jul 22, 2021 at 5:35 PM Selva Nair <selva.n...@gmail.com> wrote: > > Hi, > > On Thu, Jul 22, 2021 at 3:40 AM Ralf Hildebrandt > <ralf.hildebra...@charite.de> wrote: >> >> * Bo Berglund <bo.bergl...@gmail.com>: >> > On Wed, 21 Jul 2021 10:57:50 +0200, Ralf Hildebrandt >> > <ralf.hildebra...@charite.de> wrote: >> > >> > >But how do I do this? Can I make openvpn accept client certificates >> > >from two CAs (the old and the new one)? >> > >> > Why using a new certificate? >> >> I need a new CA due to the german BSI crypto regulations (RSA 2048 is >> not enough) >> > > The usual approach for updating CA would be to use cross-signed (or link) > certificates. I haven't tried it with OpenVPN, but here is a thought: > > First update the server cert signed by the new CA but include a link cert for > the new CA signed by the old CA. That will make it possible for clients to > still verify the new server cert. Change the CA cert on the server to a stack > of old and new CA. Then gradually update the cert and ca on clients to the > new one (new CA only not old+new). When all clients are updated remove the > old CA cert and the link cert on the server. > > Totally untested. > > Selva > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
