I am in a position where I want to start migrating users away from my
old CA which will expire in the medium term future to a new CA. I have
many endpoint and cant just "OK, everyone download a new files now."
So I am looking at the steps in
https://www.hexonet.net/blog/migrating-new-ca-for-openvpn
which allows both sets of clients to connect to existing
infrastructure. Moving to different ports / IPs etc is not easy to do
either as firewalls at local sites are controlled by many orgs and
getting those changed is non trivial.
Step 1 ok - new CA added (stacked)
Step 2, "Also, the server certificate is replaced by one signed by the
new CA." Also done. Clients with certs signed with the new CA can connect.
Step 3, "Additionally, an intermediate certificate (OLD-NEW-IM.crt) that
uses the private key of the new CA, but is signed by the old CA, gets
added to the server certificate file. IMPORTANT: When signing the new
server certificate, the 'authorityKeyIdentifier' section must only
include the keyid, and not the issuer. This is necessary to prevent
issues related to different subjects of the old and new CA's."
Thats the part I am not sure of. Can this be done with easy rsa 3 or do
I need to manually do it with openssl. I am thinking this is an openssl
cli thing. If so, has anyone done this that can share the steps ?
---Mike
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
