Thanks for your reply, you mentioned some alternatives I wasn't aware of. Our configuration pretty much follows the supplied client.conf and server.conf examples as well as easy-rsa so there's one ca file. I didn't specify how I'd determine the ca.crt file so, for clarification, my plan was to use
vpnconf=`ps -ef | grep openvpn | grep -o '\-\-config.*conf ' | cut -d' ' -f 2` followed by cacrt=`grep ^ca $vpnconf | cut -d' ' -f2` followed by (since our standard is to put the client ca.crt in /etc/openvpn and not use full-path for the file) expire=`openssl x509 -in /etc/openvpn/$cacrt -noout -enddate` and use that. Second, good point about an expired CRL but we don't use client side CRLs Third point, are you suggesting that we use something different in the new ca.crt to distinguish it from the old one and use openssl x509 -in </path/to/ca.crt> -noout -subject to detect non-upgraded clients? Finally, by design these clients are always connected so we don't face that issue. On Monday, September 29, 2025 at 02:49:32 AM CDT, Jochen Bern <[email protected]> wrote: On 29.09.25 04:18, Leroy Tennison via Openvpn-users wrote: > Other than connecting to the client, finding what ca.crt they > use and running openssl x509 -in<client ca.crt> -noout -enddate? a) Just to make sure: The *clients* need the cert of the CA issuing the *server* certs, because *that's* the cert they're checking with it. b) Your OpenSSL command will output the data for the *first* cert found in the file. Files - or, for that matter, CApath directories - accepted by OpenVPN can contain *several* CA certs. (In the case of a PKI with intermediate CAs, they *should* have the entire chains from root to server-cert-issuing intermediate.) c) I still remember the time when, while we evaluated a new platform, we found that OpenVPN would also refuse a CA with an expired *CRL*, so you might want to check that as well - *if* you're rolling out CRLs to the clients. d) Having that said, I'm not aware of a method to doublecheck any of that on the *server* side ... > My concern is accidentally overlooking a client. You might be able to change the roll-out process so that the new serverCA file and new client certs with some marker (say, OU=ImAlreadyDone) will be installed at the same time, then you could recognize unprepared clients by the missing marker as they auth ... ? (Still doesn't catch *dormant* clients, though ...) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
