-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
------- Original Message ------- On Thursday, October 27th, 2022 at 5:16 AM, Leroy Tennison via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote: > After 10 years this happened to us, fortunately on a small VPN. In rushing > to get service restored, i used easy-rsa's build-ca, big mistake - had to > recreate all client certificates. After some research I found that "openssl > x509 -in /etc/openvpn/easy-rsa/keys/ca.crt -days 3650 -out ca-v2.crt -signkey > /etc/openvpn/easy-rsa/keys/ca.key" seems to work. I also used > build-key-server because the server's certificate had also expired and that > seems to work as well. When the new CA certificate and server > certificate/key pair is configured in the conf file and OpenVPN restarted, > existing clients with unexpired certificate/key pairs were able to connect > and function. > > My question is "Is this the correct/best way to handle the situation?" If > not, what is? First, it is true that Easy-RSA could have a CA renewal function, it is even of the list of requests. https://github.com/OpenVPN/easy-rsa/issues/379 Second, if you used Easy-RSA to build a new CA, did you also re-initialise your PKI ? I'm not really sure how well renewing a CA works, because, I presume that you still need to distribute the new CA certificate to your clients .. So, it is debatable how useful renewing a CA really is verses building a new CA and distributing new client config files. As for best practice: When the software is free, please accept a share of the responsibility. br RTB -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJjWxOfACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0u9ggAtAiIbi0XpaSkJhs7e+Ie8FXqon3ZTmiD42jbi0HMoWe9lfok lgLjj9fh4ulou6d44V4TEv/15hdRSId2jOP3qzwwJLuLRYsviaM1mizqOZ+D BDVQgoxijGGjXrrLKlnI0CkbXcTrf/58bGOMxzea6rqS+hJmFkAg7yuVri9A aKdXUXhck+JSvtbEv5dMRJvS0rW3ub9JRQ9iGNp93oj0csxzkA4f2VJsfyTI GuEe2jgjGD7a+XXwEBsORV9Sus8lVnl4RVWBxxtFLzoCJqcK/GnDpyoBKXy4 B1k5nkPeD9n9zpPCm9jm8TOit80+1Kw5OgH4V/xUN5CSHq/9Q9ofhA== =bcz9 -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
