Q: OpenVPN RoadWarrior Certificate Expired , what to do



  • Warning: I'm not a certificate guru.

    I have just set up an OpenVPN roadwarrior server , using Certificates & internal user auth (user/pass)
    I have made a CRL and assigned it to the OpenVPN server.
    So far all is good.

    I was thinking of making user certificates w. 365 days lifetime , and distribute them with client export.
    And i am expecting the client not to be able to login after the certificate is expired , correct ?

    What happens when the certificate is expired , and i want to reenable the client for another period ?
    Can i just delete the user & client certificate on the server , and recreate them with another 365 days ?

    Or must i put the expired certificates on the CRL , even though they have expired ?

    I have a feeling the CRL is for invalidating a "working/non expired certificate" , ie. a stolen PC.
    And that already expired certificates "do no harm"

    Any answers would be appreciated

    TIA
    /Bingo

    Ps: Bonus Question.
    If i want to give a vendor client access for ie. a week , could i just set the "User Expiration date" a week into the future ?
    And then just edit the "User Expiration date" , the next time they need another access ?
    Provided the Certificate is still valid.

    I see that as a better option than trying to remember to set the :
    Client Specific Override -> Connection blocking

    Agree ?


  • Rebel Alliance Developer Netgate

    @bingo600 said in Q: OpenVPN RoadWarrior Certificate Expired , what to do:

    I was thinking of making user certificates w. 365 days lifetime , and distribute them with client export.
    And i am expecting the client not to be able to login after the certificate is expired , correct ?

    Correct

    What happens when the certificate is expired , and i want to reenable the client for another period ?
    Can i just delete the user & client certificate on the server , and recreate them with another 365 days ?

    You do not need to delete the user, just create a new certificate for them. On pfSense 2.5.0 you even have the option of renewing the certificate. In either case, deliver the new file(s) to the user (e.g. by exporting a new package for them).

    Or must i put the expired certificates on the CRL , even though they have expired ?

    No

    I have a feeling the CRL is for invalidating a "working/non expired certificate" , ie. a stolen PC.
    And that already expired certificates "do no harm"

    Correct

    Ps: Bonus Question.
    If i want to give a vendor client access for ie. a week , could i just set the "User Expiration date" a week into the future ?
    And then just edit the "User Expiration date" , the next time they need another access ?
    Provided the Certificate is still valid.

    Yes, you can set the account to expire and they won't be able to login when it's expired. Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.



  • @jimp

    Thank you for the answers.

    So you suggest to :
    1: Delete the expired certificate
    2: Under user manager , edit user -> "User Cartificates" -> "+Add" , create a new certificate with the same CA name ?
    That would be easier if working.

    Re:
    Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.
    

    I actually made 3 servers : ADM + INT + EXT , and made "interfaces" for all 3.
    All 3 have separate CA-Roots + Server /24.
    That way i can do firewalling based on the Client types.
    ADM: TFW access , and almost no rules
    INT : No TFW access , basic rules
    EXT : Strict permit rules , and deny any RFC1918 as last (My site(s) IP space)

    They all have permit any any (Internet access) as the bottom rule.


  • Rebel Alliance Developer Netgate

    @bingo600 said in Q: OpenVPN RoadWarrior Certificate Expired , what to do:

    1: Delete the expired certificate
    2: Under user manager , edit user -> "User Cartificates" -> "+Add" , create a new certificate with the same CA name ?
    That would be easier if working.

    That should be fine

    Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.

    I actually made 3 servers : ADM + INT + EXT , and made "interfaces" for all 3.
    All 3 have separate CA-Roots + Server /24.
    That way i can do firewalling based on the Client types.

    Sounds good


Log in to reply