On 29.09.25 04:18, Leroy Tennison via Openvpn-users wrote:
Other than connecting to the client, finding what ca.crt they use and running openssl x509 -in<client ca.crt> -noout -enddate?
a) Just to make sure: The *clients* need the cert of the CA issuing the *server* certs, because *that's* the cert they're checking with it.
b) Your OpenSSL command will output the data for the *first* cert found in the file. Files - or, for that matter, CApath directories - accepted by OpenVPN can contain *several* CA certs. (In the case of a PKI with intermediate CAs, they *should* have the entire chains from root to server-cert-issuing intermediate.)
c) I still remember the time when, while we evaluated a new platform, we found that OpenVPN would also refuse a CA with an expired *CRL*, so you might want to check that as well - *if* you're rolling out CRLs to the clients.
d) Having that said, I'm not aware of a method to doublecheck any of that on the *server* side ...
My concern is accidentally overlooking a client.
You might be able to change the roll-out process so that the new serverCA file and new client certs with some marker (say, OU=ImAlreadyDone) will be installed at the same time, then you could recognize unprepared clients by the missing marker as they auth ... ?
(Still doesn't catch *dormant* clients, though ...) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
