-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Bo,
I would be interested to know the results of using EasyRSA to upgrade from a version 2 PKI to version 3. It worked in all my tests but that's not really enough. As the author of the `upgrade`, I am happy to help you with that. Thanks Richard ------- Original Message ------- On Thursday, March 2nd, 2023 at 16:56, Bo Berglund <bo.bergl...@gmail.com> wrote: > On Thu, 02 Mar 2023 14:01:24 +0000, tincantech via Openvpn-users > openvpn-users@lists.sourceforge.net wrote: > > > ------- Original Message ------- > > On Thursday, March 2nd, 2023 at 10:12, Bo Berglund bo.bergl...@gmail.com > > wrote: > > > > > I have downloaded easy-rsa3 version to my OpenVPN server for testing. > > > I did so using wget on the v3.1.2/EasyRSA-3.1.2.tgz file below Releases at > > > GitHub. > > > > > > When I read the vars.example file I see that most of what I had to do in > > > the > > > vars file before is not really needed anymore. :-) > > > > > > But there are a couple of things regarding certs I don't understand fully > > > so > > > would like to get explained: > > > > > > # In how many days should the root CA key expire? > > > # > > > #set_var EASYRSA_CA_EXPIRE 3650 > > > > > > Obviously based on earlier discussions here about looming expirations I > > > would > > > like to do this to raise the time to 20 years: > > > > > > set_var EASYRSA_CA_EXPIRE 7300 > > > > > > However, the following seems also to be involved with expirations but I > > > don't > > > know for sure what to do... > > > > > > Do I need to also set these to 7300 to get a 20 yesr "working time"? > > > > > > # In how many days should certificates expire? > > > # > > > #set_var EASYRSA_CERT_EXPIRE 825 > > > > This seems to me to be self-explanatory: > > > > * EASYRSA_CA_EXPIRE the CA certificate validity period. > > > > * EASYRSA_CERT_EXPIRE the entity certificate validity period. > > > I have no real knowledge of what these files do, except I have understood that > CA is used to validate to the client somehow. > How that relates to CERT is unknown by me. > I just set this up a number of years ago following a then valid how-to and > later > I have figured out that in a couple of years or so the server will no longer > work unless I do something about CA expiration. > > That is why I got confused by the easy-rsa3 defaut having different times for > CA > and CERT. > > > > # How many days until the next CRL publish date? Note that the CRL can > > > still > > > # be parsed after this timeframe passes. It is only used for an expected > > > next > > > # publication date. > > > # > > > #set_var EASYRSA_CRL_DAYS 180 > > > > > > Isn't the last one dealing with client cert revocations? > > > > > > Does it imply some automatic renewal of the revocations such that one > > > does not > > > have to build and copy a new crl file every now and then even if no new > > > user > > > logins have to be revoked to keep the server operational at all? > > > > > > In easy-rsa2 there was no way to update a crl file without also revoking > > > an > > > additional user and the whole server locked up after a very short time of > > > a > > > month or so..... > > > > > > I had to disable crl handling for that very reason.... > > > > * EASYRSA_CRL_DAYS the CRL validity period. > > > > If you have a very static PKI then this can be a little irritating, > > however, the default 180 days is the recommended value. > > > I "solved" the problem in the server by switching from: > crl-verify <path-to>/crl.pem > > > to > > client-config-dir /etc/openvpn/ccdw > > and putting files with disabled in them into that dir and named as the common > name of clients to block. > > So no need for the crl anymore. > > > CRL validity period explained: > > > > If you revoke a certificate but forget to generate a new CRL then > > the revoked cert. will still be allowed to connect. > > > > Having a very short validity period for the CRL is a security measure, > > when it kicks in it ensures that the admin updates to a new CRL. > > > > The essential knowledge (Which you seem to not understand) is: > > > > The certificate remains unchanged by being revoked, only the CRL is > > aware of which certificates are valid verses those that are revoked. > > > > (This is unlike certificate expiry because the 'not-after' field, > > encoded INSIDE the certificate, denotes when the certificate expires.) > > > > Therefore, if you intend to revoke certificates (as opposed to all > > the other options that OpenVPN has available) then you MUST keep your > > CRL up-to-date. > > > > EasyRSA-3 "could" also be like EasyRSA-2 and do an automatic 'gen-crl' > > when a certificate is revoked. However, at this time it does not. > > > > It does come with this helpful message after a successful revoke: > > > > ---- > > * IMPORTANT * > > > > Revocation was successful. You must run 'gen-crl' and upload a new CRL to > > your > > infrastructure in order to prevent the revoked certificate from being > > accepted." > > ---- > > > Just asking about crl out of curiosity and to update my own OpenVPN-Config.md > file where I keep notes concerning the server handling. > > Thanks for the reply! > > I will go back to your earlier comments regarding switching to easy-rsa3 now > especially concerning how to migrate existing files from 2 to 3. > And how to switch the server without having to replace all of the files > including the client ovpn files.. > > PS: I saw you are the guy maintaining easy-rsa by the messages on GitHub. DS > > > -- > Bo Berglund > Developer in Sweden > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAnBQJkAOSOCRBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAAIcQf/bXr9oA1mP3hwEJLE4scaYhRw4+pU1M2i79l7bqG+gS57dunx sHpVbG2UY4epoCpTQ90yvqIzGqmMuux4Z6DE3xEOZnd+EghZ7VJfZzD4QLu3 QzrEwufqplEtN006CMLkHY7TJpFR2vdba4xFDYCDx6Fsqa2vdQcFmP1/wsxZ DvQgLFQPRaxe7Flo0OZoG02UEzUNMFU/UO3ys3kVxVCZkSYQn/X10KtNl824 xdnM/LVWLtAIFmCnicl9h8V0pilYr3FkuIE7TS83Ktq32nvV+/gtaeiOHPpz idWZDBv4iYlVttGZWIAsS29HekvoPzfv2t5ZhGnwscL0vvy1iwI3Tg== =NWXH -----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
