OpenVPN renew CA and Server cert without renewing client certs?
-
Version: 2.5.2-RELEASE
My CA and OpenVPN certs expired few days ago.
I renewed those, restarted OpenVPN servers,
I did not renew client certs since those are valid until 2031.But I was not able to connect to the server. I had this error
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)After I renewed user cert as well I was able to connect to OpenVPN.
Questions are:
- Do I rly need to renew cert for all clients even they are not expired?
- Is there any way to renew all certs in place, without any changes on client side?
This is example of exported client conf
dev tun persist-tun persist-key ncp-disable cipher AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote vpn.xxx.io 1195 udp4 lport 0 verify-x509-name "xxx VPN server" name auth-user-pass remote-cert-tls server explicit-exit-notify <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- xxx -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- xxx -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- xxx -----END OpenVPN Static key V1----- </tls-auth> -
@coyotekg The client certs use the CA as the issuer just like the server certs do so yes, you would need to change them.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.