Audit OpenVPN and Cert Manager settings
-
Recently, I have been reading much about SHA1 being removed from browsers. Does this mean I should look at how my OpenVPN certificates were created?
Which leads to my next question.
It has been some time since I created a certificate authority and certs in pfsense and OpenVPN. Is there a way to determine how a certificate was created to audit the process that happened some number of years ago?If I need to recreate a CA and certs, how would you recommend doing it?
Today, December 2015, what settings would generally be considered "safe" for a 10 year certificate?
Thanks!
-
pfSense has defaulted to SHA256 for a while now, so depending on when your certificates were created you may not have any worries. SHA1 being removed from browsers won't have any impact on OpenVPN, though it's as good a time as any to check and fix problems there. Also would be a good time to change the hash on the OpenVPN server itself away from SHA1.
We don't have an easy way to view that in the GUI, but if you download your cert and run it through OpenSSL you can find that info easily:
openssl x509 -in blah.crt -text -nooutIt will print out the attributes of the certificate including the hash algorithm.
The only problem people might have using something better than SHA1 is with older clients or special clients like Yealink and SNOM handsets that use OpenVPN. Last I knew they did not handle anything other than SHA1, hopefully they have a firmware update that fixes that.
-
So would the following be a good secure way to issue new certs with minimal disruption?
Create another Certificate Authority.
Ensure the values are correct for my needs and today's standards. <– I need to research guidance on this.
Issue Certs for my clients.
Deploy them one at a time when we have the machine in for maintenance.
Then using the CRL turn off that old cert and eventually remove the entire list of Certs and old CA.
