The general form of what you want to do is: openssl x509 -in file.crt -noout -text | grep 'Not After'
If you use the same command against the client files with the embedded crypto, it will give you the expiration date of the first certificate block, which *might* be your client cert, or *might* be your CA cert, depending on how the file is structured. you can manually copy the chunk between <cert> and </cert> and then run it through openssl, or do something cleverish like: grep -A 100 -F '<cert>' openvpn.conf | openssl x509 -in - -noout -text | grep 'Not After' Hope this is helpful. -Joe On Wed, Sep 28, 2022 at 10:08 AM Bo Berglund <bo.bergl...@gmail.com> wrote: > > I have been using OpenVPN for a rather long time now and I have realized that > there is a risk tat the server certificates may expire as well as the clients. > The servers all run on Linux (Ubuntu server and Raspberry Pi) but clients are > both Linux and Windows and actually also some ASUS routers... > > How can I check when this will happen? > The clients use OVPN files with embedded crypto stuff and the server uses a > set > of crypto files in subdir etc/openvpn/keys. > > If I can check this and it turns out that they will be expiring in the near > future, then what can I do to extend the life of them? > Do I have to re-create the entire set of server and client certs? > > Notice: > The certs were created using easy-rsa on the servers back when the system was > created and new clients have been added over the years also using easy-rsa on > the servers. > > > -- > Bo Berglund > Developer in Sweden > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
