On 19/03/2025 23:02, David Sommerseth wrote: > On 19/03/2025 15:23, Bo Berglund wrote: > [...] >> >> On 3rd thought I realized that I have almost 3 years remaining on the life >> of my >> certs (expire jan 2028) and I will save time now by just transplanting the >> OVPN >> infrastructure over to the new server and changing the port-forward on the >> router to the new IP address. > > This is more an advice for when you're doing a new VPN setup ... > > Ask yourself if you really need the CA layer at all - if you would skip > it if you could. If the answer is "Yes, please!", then you should look > into the feature which I believe arrived in OpenVPN 2.6 > > --peer-fingerprint > > That just requires clients to have the server-side certificate > fingerprint listed and the server the fingerprints of all the clients it > accepts. And that's it. Both clients and servers will need the > key/cert files, but the certs can now be self-signed. > > There will be a lifetime on the client/server certs itself - so you need > to consider carefully how long you want your client and server > certificates to be valid.
I forgot to add a link with more details: <https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst> -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
