Renewal of internal CA
-
I have a CA created on pfSense and the certificates are used for our OpenVPN. The VPN clients use Client certificates issued by our pfsense CA so that they can be authorized access on to the VPN. So when I renew the CA cert on the pfsense server, I will also need to deploy a copy of the public key to all the clients then right? Is there a recommended migration process so clients don't loose access all at once?
-
One way to do this it just create a second server instance with a new CA and certs and move clients over to it in stages. Limits exposure to any errors.
It's possible to add additional CA certs to clients so they can accept new server certs but there's no easy way to do that. I would choose to move clients to a new server if you can.
Steve
-
I just recently did this - now mind you I only have a hand full of devices..
I still had a few years left out of the 10 years on my CA, and server cert, etc.. But in another thread about openvpn I got reminded that my certs were using old RSA stuff.. So I updated everything to ecdsa..
But yeah @stephenw10 has the right path - fire up a new instance.. And migrate your clients over to the new instance using the new CA and certs.. This way you can do few clients at a time, and can always fall back to the old instance. Once your all migrated you can kill off the old instance..
But the migration really should be as simple as just changing the certs used on the instance you fire up, and then getting the clients the new certs.. Which is the hard part, especially if you have lots and lots of clients.
