CA Cert and Server Cert Expiring Soon
-
Hello everyone,
I am relatively new to OpenVPN but the company I work for has been using it for years. We are on version 2.4.5 release p1. Initially certs were created for 10 years and now they are expiring next month. I have 2 users that are remote, can't bring their laptop to the office.
Can I renew the CA cert or do i have to create a new CA cert? If i go with a new CA cert i will have to redo all the client and server certs.
Will i be able to upgrade these certs without breaking VPN for remote users?Thank you for your help!
-
@actionq26 You can't renew them, need to be created as new. Are you using pfSense self signed certs? Easy to recreate them if so.
The remote laptops will have to use the new certs so they won't have access until they update but you can either have them use the export utility or just update their config's with the new certs if they know how.
-
@actionq26 Take a look at: https://docs.netgate.com/pfsense/en/latest/certificates/renew.html
"...OpenVPN is OK with reusing the serial number on a CA when renewing."
Though you will need to give out the new cert.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@steveits said in CA Cert and Server Cert Expiring Soon:
https://docs.netgate.com/pfsense/en/latest/certificates/renew.html
Learn something new everyday.
-
@steveits said in CA Cert and Server Cert Expiring Soon:
https://docs.netgate.com/pfsense/en/latest/certificates/renew.html
OP is on 2.4.5
Wasn't the Renew GUI goodies added in 2.5 or even 2.6 ??
/Bingo
-
@bingo600 said in CA Cert and Server Cert Expiring Soon:
Wasn't the Renew GUI goodies added in 2.5 or even 2.6 ??
For the serial number? I think you're right, I seem to recall seeing that in a post or redmine or something not that long ago.
-
in the documentation it says, "Retaining the serial when renewing a CA allows existing certificates to remain valid, though some clients may not respect the new CA if the serial does not change."
https://docs.netgate.com/pfsense/en/latest/certificates/renew.htmlDoes anybody have a list or partial list of "some clients" that do not respect the new CA with the same serial number? Is the Windows Tap Adapter one of the clients? How about the openVPN tunnel clients?
Thanks!
-
@jc2it said in CA Cert and Server Cert Expiring Soon:
Does anybody have a list or partial list of "some clients" that do not respect the new CA with the same serial number? Is the Windows Tap Adapter one of the clients? How about the openVPN tunnel clients?
OpenVPN is fine there, so you shouldn't have to worry that. I know for sure the Firefox has a problem with reusing the serial, though, and I suspect other browsers may as well. I'm not sure beyond that because I haven't had an occasion to test.
Reusing the cert means the old clients will still see the new CA as valid until their local copy expires. But it gives you time to roll out new client files without an abrupt cutover where everyone has to do it all at once.
-
@jimp Thanks! That is what I was looking for.
-
@jimp
After the cert expired yesterday all the systems with the old certificate failed to connect. So renewing a CA and retaining the serial number must not be foolproof. Are there settings in the 2.4.9 client that would preclude this?Verify Error: error=certificate is not yet valid
OpenSSL: error 1416F086:SSL routines.tls_process_server_certificate:certificate verify failedThen
Verify Error: error=certificate is expired -
If the client had the expired CA cert then it would fail.
Renewing the CA and retaining the serial number lets the server run with a new/fresh CA while still allowing old clients to connect for the time being. The clients must still get a new non-expired copy of the CA before it expires otherwise they can't validate the server cert when it expires.
It's not a magical cure-all it's a way to have a smoother transition.
The old way you had to make a new CA and cut off all clients until they updated, this way you can roll out the updated CA over time (until the old one expires).
-
@jimp
I see. That wasn't clear to me 18 days ago when it would have been easier to remediate this. -
It was in my reply 18 days ago, too.
@jimp said in CA Cert and Server Cert Expiring Soon:
Reusing the cert means the old clients will still see the new CA as valid until their local copy expires. But it gives you time to roll out new client files without an abrupt cutover where everyone has to do it all at once.
-
@jimp
yep. I missed it. Thanks.
