SSL generation
-
As part of covid I helped setup a lot of pfsense boxes for VPN for a many small businesses. The problem is that we have SSL's starting to expire all over the place now. What I would ideally like to do is have the system create a new SSL so we can semi-automate the process of updating the internally generated SSL.
What are some reasonable approaches to this?
I know I can easily create a cron job to regenerate a new SSL every 12 months, and I could probably script the replacement to the VPN stack and hub the process, but I wanted to look at some proper approached for automation (if there is such a thing).
Sadly a stack of certs expired last week while I would offsite so a few groups were down during that period.
-
You are talking about the webgui server cert?
OpenVPN cert?
You can use ACME for both and keep them updated. You usually wouldn't want that for OpenVPN though. Better to just create a CA and cert with a longer lifetime that you control.
Steve
-
@stephenw10 said in SSL generation:
cert with a longer lifetime that you control.
Exactly openvpn does not care if the cert has a 10 year life.. There is little reason to change these certs for the sake of changing them, unless you feel they have been compromised. If so just revoke them and issue new.
Or change them out on a schedule you come up with, but don't have to worry about if the schedule gets pushed here or there because its going to expire, etc.
