reissue of CA unexpectedly changes private key

dneuhaeuser

Hello,

I am running pfSense 2.5.1 and have a Certificate CA (used for OpenVPN) which will expire in a few weeks.
I tried the new reissue function: I left "reuse key" active and did NOT activate "strict security".

To my surprise after this the CA has a new private key!

OpenVPN therefore does not recognize the CA anymore:

OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=DE, ST=NRW, L=xxx, O=yyy, emailAddress=abc@xyz.de, CN=MyCA, serial=0

Why isn't the existing key reused for the new CA?
What am I missing here?

Regards
Dennis

AKEGEC

@dneuhaeuser it's difficult to see what happen. Once my client had cert changed and the culprit was compromised ISP modem.
Are there any request messages from unknown/strange local ip addresses in your firewall log?

dneuhaeuser

@akegec said in reissue of CA unexpectedly changes private key:

@dneuhaeuser it's difficult to see what happen. Once my client had cert changed and the culprit was compromised ISP modem.
Are there any request messages from unknown/strange local ip addresses in your firewall log?

no, it's a pure certificate problem.

jimp

I just tried that on a VM here and when I renewed the CA, only its certificate changed, not the private key.

Are you certain the private key changed?

The clients will still need a copy of the new OpenVPN CA, even if the key stayed the same, since their own local copy will no longer match.

dneuhaeuser

I had a wrong understanding, that with a reissue I would not need to copy the CA to all clients again.
When compared the key really looked different before/after the reissue.
But now it is clear that this is not the root problem.

What would be the best practice when you have 40 OpenVPN clients that you cannot reconfigure in a "big-bang"?
New additional OpenVPN Server with new set of CA and Certs?

jimp

You don't really have a choice there if the CA changes.

You don't need to adjust the clients if the server cert changes (even the key) so long as it uses the same CA, perhaps that's what you were thinking of.

There may be some song-and-dance you can do with an intermediate cert but if the root expires, clients still need to know about the new root.

Browsers solve this by stuffing the new root CAs in various updates as they go, VPN clients have to do the same. Users should be conditioned to be periodically updating their VPN client software anyhow. OpenVPN frequently has updates for security and other issues.

There won't be a real "fire and forget" setup where you can get away with never updating the client, especially with OpenVPN.