On 10/2/2023 3:59 PM, Selva Nair wrote:
If you can afford two rounds of client config updates, this could be
done without step 3 -- see the following thread from users list:
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05983.html
Essentially, update to the stacked CA (old+new) on server and stacked
CA + new client certs on clients one by one. When all clients are
updated, change the server certificate to the new one. Then do another
round of client update where old CA is removed from the stack.
A link certificate allows one to do this in one round of client
updates as also discussed in that thread. I have used OpenSSL CLI in
the past for this but do not have a recipe at hand. No idea whether
easyrsa could do it.
Thanks Selva for the link! Two rounds will be a bit laborious as there
are many endpoints. If I have to go for option A (Stacked CAs on all
clients, stacked CAs on the server then update the server), is there a
downside with leaving an expired CA cert on all the clients ? Or can
they just be left there until the devices get re-imaged over time ?
---Mike
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
