CA cert renew
-
Hi.
In GUI I have option to renew CA cert. But I can`t select for how long, it takes current valid period and just use that. How can I renew CA cert with same key and serial but for 20 years?
Thanks!
-
Can't tell why you can't change most of the CA details when you renew.
Maybe renewal renews with most or all of the details identical.
But what about creating a new one ?
Afterwards, base of this CA a new cert, use it wherever you need it and call it a day ... no ... 7300 days.Btw : more thoughts : do browser accept certs that are valid that long ? It goes, imho, against security lines.
-
@Gertjan
This is for OpenVPN...We have like 400+ clients on PC, MAC, Android and Iphones and I really don`t want to do this change every 10 years...
-
I was hoping that you wouldn't add that detail : "a main OpenVPN certs and loads of users access certs based upon it" ^^
@maverick_slo said in CA cert renew:
and I really don`t want to do this change every 10 years...
Euh lol, 4 times in your admin career is to much ?
Don't worry, it guess that over that time span, "OpenVPN" is something of the past, and you already had to set up another type of VPN several times, for the 'known' (that I can image today) reasons : major bugs, security flaws, trends, Netgate ditching it because not opensource anymore, etc etc -
Umm, what?
Openvpn is being diched by Netgate? OpenVPN is not opensource?
Major bugs and security flaws?What? Are you high right now?
-
Noop.
I said : I can image and gave some examples. Only had a coffee or two this morning.
Look at what has changed over the last 10 years.
Chances are that things keep on changing. Our VPN needs will change also.Another example : 4096 bits deep CA/certs will do the job nicely today. It's secure enough. Then a major AI / quantum technology breakthrough will make this "4096" encryption way to dangerous.
Like : "RSA" will fade away, it must be "ECDSA" or whatever will be invented in a near future.
Your bet is : this won't happen in the next 10++ years.
And I hope your right, but I won't place any bets on it though. The contrary will probably happen, as this is what the past told me.@maverick_slo said in CA cert renew:
Openvpn is being ditched by Netgate?
Like this : OpenVPN is open source today. Like MySQL was in the past, and Javascript.
Then it get sold to some company - and now it needs to get monetized = you have to pay for it.
In that case "OpenVPN" will most probably lose it's place into a product like pfSense.Your 10+ scale is, for me, a huge time scale when you deal with security software.
edit : but were getting off topic here.
Your question isn't that special actually. I'm pretty sure it has been asked before.
Dig (search) into this forum, and you will find equivalent question and more meaning full answers.
