Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Q: OpenVPN RoadWarrior Certificate Expired , what to do

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B
      bingo600
      last edited by

      Warning: I'm not a certificate guru.

      I have just set up an OpenVPN roadwarrior server , using Certificates & internal user auth (user/pass)
      I have made a CRL and assigned it to the OpenVPN server.
      So far all is good.

      I was thinking of making user certificates w. 365 days lifetime , and distribute them with client export.
      And i am expecting the client not to be able to login after the certificate is expired , correct ?

      What happens when the certificate is expired , and i want to reenable the client for another period ?
      Can i just delete the user & client certificate on the server , and recreate them with another 365 days ?

      Or must i put the expired certificates on the CRL , even though they have expired ?

      I have a feeling the CRL is for invalidating a "working/non expired certificate" , ie. a stolen PC.
      And that already expired certificates "do no harm"

      Any answers would be appreciated

      TIA
      /Bingo

      Ps: Bonus Question.
      If i want to give a vendor client access for ie. a week , could i just set the "User Expiration date" a week into the future ?
      And then just edit the "User Expiration date" , the next time they need another access ?
      Provided the Certificate is still valid.

      I see that as a better option than trying to remember to set the :
      Client Specific Override -> Connection blocking

      Agree ?

      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

      jimpJ 1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate @bingo600
        last edited by

        @bingo600 said in Q: OpenVPN RoadWarrior Certificate Expired , what to do:

        I was thinking of making user certificates w. 365 days lifetime , and distribute them with client export.
        And i am expecting the client not to be able to login after the certificate is expired , correct ?

        Correct

        What happens when the certificate is expired , and i want to reenable the client for another period ?
        Can i just delete the user & client certificate on the server , and recreate them with another 365 days ?

        You do not need to delete the user, just create a new certificate for them. On pfSense 2.5.0 you even have the option of renewing the certificate. In either case, deliver the new file(s) to the user (e.g. by exporting a new package for them).

        Or must i put the expired certificates on the CRL , even though they have expired ?

        No

        I have a feeling the CRL is for invalidating a "working/non expired certificate" , ie. a stolen PC.
        And that already expired certificates "do no harm"

        Correct

        Ps: Bonus Question.
        If i want to give a vendor client access for ie. a week , could i just set the "User Expiration date" a week into the future ?
        And then just edit the "User Expiration date" , the next time they need another access ?
        Provided the Certificate is still valid.

        Yes, you can set the account to expire and they won't be able to login when it's expired. Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • bingo600B
          bingo600
          last edited by bingo600

          @jimp

          Thank you for the answers.

          So you suggest to :
          1: Delete the expired certificate
          2: Under user manager , edit user -> "User Cartificates" -> "+Add" , create a new certificate with the same CA name ?
          That would be easier if working.

          Re:
Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.

          I actually made 3 servers : ADM + INT + EXT , and made "interfaces" for all 3.
          All 3 have separate CA-Roots + Server /24.
          That way i can do firewalling based on the Client types.
          ADM: TFW access , and almost no rules
          INT : No TFW access , basic rules
          EXT : Strict permit rules , and deny any RFC1918 as last (My site(s) IP space)

          They all have permit any any (Internet access) as the bottom rule.

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          jimpJ 1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate @bingo600
            last edited by

            @bingo600 said in Q: OpenVPN RoadWarrior Certificate Expired , what to do:

            1: Delete the expired certificate
            2: Under user manager , edit user -> "User Cartificates" -> "+Add" , create a new certificate with the same CA name ?
            That would be easier if working.

            That should be fine

            Though strictly speaking you probably want to setup a separate VPN for vendors than for your typical remote access users, to be sure they can be isolated more strictly. So a different CA, server cert, OpenVPN server, etc.

            I actually made 3 servers : ADM + INT + EXT , and made "interfaces" for all 3.
            All 3 have separate CA-Roots + Server /24.
            That way i can do firewalling based on the Client types.

            Sounds good

            Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.