On 19/03/2025 15:23, Bo Berglund wrote:
[...]
>
> On 3rd thought I realized that I have almost 3 years remaining on the life of
> my
> certs (expire jan 2028) and I will save time now by just transplanting the
> OVPN
> infrastructure over to the new server and changing the port-forward on the
> router to the new IP address.
This is more an advice for when you're doing a new VPN setup ...
Ask yourself if you really need the CA layer at all - if you would skip
it if you could. If the answer is "Yes, please!", then you should look
into the feature which I believe arrived in OpenVPN 2.6
--peer-fingerprint
That just requires clients to have the server-side certificate
fingerprint listed and the server the fingerprints of all the clients it
accepts. And that's it. Both clients and servers will need the
key/cert files, but the certs can now be self-signed.
There will be a lifetime on the client/server certs itself - so you need
to consider carefully how long you want your client and server
certificates to be valid.
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
