Certificate Authority: Local CA Expiring soon

Clueless-Clod

Hi,

I have never used pfSense before or even had much to do with network administration and yesterday my boss said I need to fix our CA certificate.
He gave me credentials to log into our pfsense server .

And I see these alerts:

The following CA/Certificate entries are expiring:
Certificate Authority: Local CA (x14a2b134bxyz): Expiring soon, in 16 days
Certificate: VPN Server (5x4a2cae92xyz): Expiring soon, in 16 days
Certificate: xiergem (x14a2ce07exyz): Expiring soon, in 16 days
Certificate: zzreen (5x4a2cfa2xyz): Expiring soon, in 16 days @ 2023-03-02 03:01:00

I figure I need to do something in the 'System > Certificate Manager > CAs' screen ...
(I cannot upload a screen shot for some reason)

But on that screen I see this text:

Local CA                self-signed     103
emailAddress=xxxxikov@exxxample.com, ST=California, O=My, Inc, L=San Somewhere, CN=internal-ca, C=US
Valid From: Wed, 20 Mar 2013 14:33:07 -0700
Valid Until: Sat, 18 Mar 2023 14:33:07 -0700    OpenVPN Server

and there are Action icons: Edit, Export CA, Export key and Reissue/Renew.
I asked my boss, "Well should I click the Reissue/Renew" button and he said I should read pfsense.org and google "How CA works and what are intermediate certificates" Well I did all that and still I haven't a clue what I am to do. Please help?

FSC830

Nice boss, consider to replace him (or look for another job) .
At my pfSense I just clicked to reissue/renew and all was fine.
You need to install the new certificates at the referring servers.
The "how-to" depends to the OS of the servers.

Regards

Edit: Just looked up in my pfSense (I am not running a openVPN server), but when opening the configuration page for openVPN in the lower part you can select the certificate.
Because certificate is already prolonged, as far as I know your are done.

Dont know, what the other two certificates (xiergem/zzreen) are used for...?

stephenw10

If it was just the server cert you could simply reissue it but you can't do that with the CA.

Usually the server cert is valid for ~1y but the CA is usually valid for 10ys for this reason.
Is this install ~10 years old?

You will have to create a new CA and issue new certs against it. Unfortunately that means updating the client certs also. Which can be a PITA!

Ignore that!

Steve

FSC830

Ooops? CA certificate cant be re-issued?
Good to know, but mine is still valid until 2030.

The 1st screenshot shows that the CA certificate was created in 2013, so time is running.

Regards

Edit: But CA certificate has a reissue/renew option as well!?

stephenw10

Ah, you know what I could be confusing that with the case where you don't have the key.

Not enough coffee! Let me check....

stephenw10

Yeah ignore that! Just reissue it. Assuming you have the key which you should if it was created on that box.

Clueless-Clod

@stephenw10 Yep its 10 years old.