On Mon, 8 Jan 2024 15:35:17 +0100, Jochen Bern <jochen.b...@binect.de> wrote:
>On 08.01.24 15:09, Bo Berglund wrote: >> OK, in my case there are only a handful of clients so I could presuambly do >> the >> following by creating new server crypto files from scratch: > >If you'd like to get into enough detail to come up with a step-by-step >recipe, you should IMHO specify *which* certs exactly are about to >expire and need to be replaced in the process - just the CA, or the >server's as well? (Or maybe it's *just* the server cert ... ?) > >Creating a new CA cert *without* changing the keypair and then rolling >that out to the clients would be particularly useful if it allows you to >keep the server cert unchanged, assuming that the server cert's nominal >lifetime exceeds that of the CA; for as long as the old CA cert is still >valid, *either* CA cert in whatever client's config would have the >server cert accepted. Problem though, I don't know whether *EasyRSA* has >a command/procedure to create a CA cert that way. > >Kind regards, The question was asked without me knowing that only certs have an expiry date. So it makes it possible I guess to create a new cert for the CA.key and thereby extend the life of it... Meanwhile I have used the command that was posted here (a bit modified since the last argument was not recognized on my system). So I have found that the two most important servers both have 3-4 years of remaining life. :) So I will put this off for a later day. My initial servers created back in 2014 are running on devices I no longer connect to so I am Ok with their state too. The only important one of the old servers was replaced in October with a brand new one. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
