OpenVPN renew CA and Server cert without renewing client certs?
-
Version: 2.5.2-RELEASE
My CA and OpenVPN certs expired few days ago.
I renewed those, restarted OpenVPN servers,
I did not renew client certs since those are valid until 2031.But I was not able to connect to the server. I had this error
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)After I renewed user cert as well I was able to connect to OpenVPN.
Questions are:
- Do I rly need to renew cert for all clients even they are not expired?
- Is there any way to renew all certs in place, without any changes on client side?
This is example of exported client conf
dev tun persist-tun persist-key ncp-disable cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote vpn.xxx.io 1195 udp4 lport 0 verify-x509-name "xxx VPN server" name auth-user-pass remote-cert-tls server explicit-exit-notify <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- xxx -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- xxx -----END OpenVPN Static key V1----- </tls-auth> -
@coyotekg The client certs use the CA as the issuer just like the server certs do so yes, you would need to change them.