I appreciate the update, thanks. I'm not sure why you say the command to renew the CA certificate is questionable, I understand that the new certificate has to be distributed to the clients (I don't have other servers) before the original CA certificate expires. I did double-check and found that a client using the original CA certificate can successfully connect to a server using the "renewed" CA certificate. I checked what configuration was running on the server, what CA certificate it listed (it was the renewed one) and ran a checksum on it as well as the CA certificate the client was using, they were different. I have connected to the server via ssh across the VPN from the client and performed file operations (read, create, modify, delete) so, unless something more obscure isn't working, I'm not aware of a problem. In case it matters, the server versions are OpenVPN 2.3.10/OpenSSL 1.0.2g and the client versions are OpenVPN 2.4.7/OpenSSL 1.1.1f. I didn't intend to imply that renewing the CA was equivalent to renewing the server, I recognize that they are independent of one another. It's just that, in this case, the server certificate/key was created minutes after the CA certificate/key (using the same PKI infrastructure) so their expiration is minutes apart. That's why I renewed both before testing to insure a working configuration with "renewed" infrastructure while clients used the "original" CA. You make a very good point about "refreshing" the configuration files to make sure they're up-to-date since everything is having to be updated anyway, thanks for mentioning it.
-----Original Message----- From: tincantech <tincant...@protonmail.com> To: Leroy Tennison <leroy.tenni...@verizon.net> Sent: Fri, Oct 28, 2022 6:41 am Subject: Re: [Openvpn-users] Dealing with CA expiration -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, That you did not re-initialise you PKI means that you did not delete everything. Good! The openssl command to renew your CA certificate, which you say "works", is questionable. You still have to distribute the new CA cert to all servers and clients. The other point you make about: "renewing a CA is equivalent to renewing a server certificate", is incorrect. * If you only need to renew the server cert then ONLY the server needs to be updated with the new server cert. * If you renew the CA cert then Everything has to be updated with the new CA cert. I have not checked what a recent version of OpenVPN does (With OpenSSL v3) when the CA cert expires .. but that you hit "crisis mode" suggests that an expired CA is, as it ever-was, about as bad as it gets.. Best practice: After 10 years, some configs-files may be a bit out of date. Take this opportunity to ensure the config-files have the latest changes: Examples: Use --data-ciphers not --cipher. Do not use --topology net30. Never use settings to work around the weak security of an old CA. RTB Sent with Proton Mail secure email. ------- Original Message ------- On Friday, October 28th, 2022 at 3:22 AM, Leroy Tennison <leroy.tenni...@verizon.net> wrote: > Thank you for your reply. > To answer the question in your second response, I did nothing to > re-initialize my PKI, all I did was run build-ca which created both a new > certificate and key as best as I can tell (we were in "crisis mode" and I > didn't attempt comparison with backups to confirm the key was recreated, I > just looked at the date of the key file). After that I had to use > build-key-server (even without the CA issue, that certificate had expired as > well) and build-key for all needed clients. > > The benefit of renewing the CA and server's crt/key pair is that both can be > done and implemented (with a short, planned outage) prior to expiration. > This allows clients to be upgraded over time (from whenever the CA/server is > "renewed" until expiration) rather than all at once at expiration. We have > other VPNs which not only have a larger set of clients but we don't have the > unrestricted ability to update them whenever we want due to extenuating > circumstances. I realize that the amount of work isn't reduced (it may well > be slightly increased), it is the short-term load and impact which is > mitigated. > > As for "best practice" all I was looking for was a "better way" to do this if > one existed. Again, thanks for your reply. > > -----Original Message----- > From: tincantech <tincant...@protonmail.com> > To: Leroy Tennison <leroy.tenni...@verizon.net> > Cc: openvpn-users@lists.sourceforge.net <openvpn-users@lists.sourceforge.net> > Sent: Thu, Oct 27, 2022 6:26 pm > Subject: Re: [Openvpn-users] Dealing with CA expiration > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi, > > ------- Original Message ------- > On Thursday, October 27th, 2022 at 5:16 AM, Leroy Tennison via Openvpn-users > <openvpn-users@lists.sourceforge.net> wrote: > > > > After 10 years this happened to us, fortunately on a small VPN. In rushing > > to get service restored, i used easy-rsa's build-ca, big mistake - had to > > recreate all client certificates. After some research I found that > > "openssl x509 -in /etc/openvpn/easy-rsa/keys/ca.crt -days 3650 -out > > ca-v2.crt -signkey /etc/openvpn/easy-rsa/keys/ca.key" seems to work. I > > also used build-key-server because the server's certificate had also > > expired and that seems to work as well. When the new CA certificate and > > server certificate/key pair is configured in the conf file and OpenVPN > > restarted, existing clients with unexpired certificate/key pairs were able > > to connect and function. > > > > My question is "Is this the correct/best way to handle the situation?" If > > not, what is? > > First, it is true that Easy-RSA could have a CA renewal function, it is even > of the list of requests. > https://github.com/OpenVPN/easy-rsa/issues/379 > > Second, if you used Easy-RSA to build a new CA, did you also re-initialise > your PKI ? > > I'm not really sure how well renewing a CA works, because, I presume that you > still need to distribute the new CA certificate to your clients .. So, it is > debatable how useful renewing a CA really is verses building a new CA and > distributing new client config files. > > As for best practice: When the software is free, please accept a share of the > responsibility. > > br > RTB > -----BEGIN PGP SIGNATURE----- > Version: ProtonMail > > wsBzBAEBCAAGBQJjWxOfACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec > 9muQuJ0u9ggAtAiIbi0XpaSkJhs7e+Ie8FXqon3ZTmiD42jbi0HMoWe9lfok > lgLjj9fh4ulou6d44V4TEv/15hdRSId2jOP3qzwwJLuLRYsviaM1mizqOZ+D > BDVQgoxijGGjXrrLKlnI0CkbXcTrf/58bGOMxzea6rqS+hJmFkAg7yuVri9A > aKdXUXhck+JSvtbEv5dMRJvS0rW3ub9JRQ9iGNp93oj0csxzkA4f2VJsfyTI > GuEe2jgjGD7a+XXwEBsORV9Sus8lVnl4RVWBxxtFLzoCJqcK/GnDpyoBKXy4 > B1k5nkPeD9n9zpPCm9jm8TOit80+1Kw5OgH4V/xUN5CSHq/9Q9ofhA== > =bcz9 > -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJjW7/iACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2lawf/VOYM1hZm52QLCVyJ0hGndK4wGS54I1szFw2u8N6w5chbSNNq n8kNoV3EvvoyslG1g54atSumYDprFp8qEy580zQvw7Xt87jGVkhH6gjqE6Wg DnQIgFwIK5coLR3xvjGWume6rk4WcrQmsm4cx8f/yXASp6WM1fdyAAKVjOZd dqT/qohtne1QwJsLjP5OOLt9MQiQ8QxS4bJO5S/b8p1kWJiunQnCLGo+D8Gs 5WZE8uE3w2Y7ovKmvvFE7nmnSWZL0usvUu04+/zt8nmdV8+N97sRghONVH97 xgdC6MfFKczQqb8n4sExg3ubGA4XWgRmqmUHdSMpqiZLDppUU46bHg== =59ty -----END PGP SIGNATURE-----
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
