CA Cert and Server Cert Expiring Soon
-
@steveits said in CA Cert and Server Cert Expiring Soon:
https://docs.netgate.com/pfsense/en/latest/certificates/renew.html
OP is on 2.4.5
Wasn't the Renew GUI goodies added in 2.5 or even 2.6 ??
/Bingo
-
@bingo600 said in CA Cert and Server Cert Expiring Soon:
Wasn't the Renew GUI goodies added in 2.5 or even 2.6 ??
For the serial number? I think you're right, I seem to recall seeing that in a post or redmine or something not that long ago.
-
in the documentation it says, "Retaining the serial when renewing a CA allows existing certificates to remain valid, though some clients may not respect the new CA if the serial does not change."
https://docs.netgate.com/pfsense/en/latest/certificates/renew.htmlDoes anybody have a list or partial list of "some clients" that do not respect the new CA with the same serial number? Is the Windows Tap Adapter one of the clients? How about the openVPN tunnel clients?
Thanks!
-
@jc2it said in CA Cert and Server Cert Expiring Soon:
Does anybody have a list or partial list of "some clients" that do not respect the new CA with the same serial number? Is the Windows Tap Adapter one of the clients? How about the openVPN tunnel clients?
OpenVPN is fine there, so you shouldn't have to worry that. I know for sure the Firefox has a problem with reusing the serial, though, and I suspect other browsers may as well. I'm not sure beyond that because I haven't had an occasion to test.
Reusing the cert means the old clients will still see the new CA as valid until their local copy expires. But it gives you time to roll out new client files without an abrupt cutover where everyone has to do it all at once.
-
@jimp Thanks! That is what I was looking for.
-
@jimp
After the cert expired yesterday all the systems with the old certificate failed to connect. So renewing a CA and retaining the serial number must not be foolproof. Are there settings in the 2.4.9 client that would preclude this?Verify Error: error=certificate is not yet valid
OpenSSL: error 1416F086:SSL routines.tls_process_server_certificate:certificate verify failedThen
Verify Error: error=certificate is expired -
If the client had the expired CA cert then it would fail.
Renewing the CA and retaining the serial number lets the server run with a new/fresh CA while still allowing old clients to connect for the time being. The clients must still get a new non-expired copy of the CA before it expires otherwise they can't validate the server cert when it expires.
It's not a magical cure-all it's a way to have a smoother transition.
The old way you had to make a new CA and cut off all clients until they updated, this way you can roll out the updated CA over time (until the old one expires).
-
@jimp
I see. That wasn't clear to me 18 days ago when it would have been easier to remediate this. -
It was in my reply 18 days ago, too.
@jimp said in CA Cert and Server Cert Expiring Soon:
Reusing the cert means the old clients will still see the new CA as valid until their local copy expires. But it gives you time to roll out new client files without an abrupt cutover where everyone has to do it all at once.
-
@jimp
yep. I missed it. Thanks.
