Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN cert expiring, need to renew, and server migration

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 897 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ipguy
      last edited by

      Gurus

      I have a question pertaining to the renewal of an OpenVPN server CA / Cert that needs to be renewed

      This cert is used on hundreds of "remote appliances"

      Can I just renew the cert on the firewall and will the remote appliances just connect after the renewal as usual?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ipguy
        last edited by

        @ipguy said in OpenVPN cert expiring, need to renew, and server migration:

        I have a question pertaining to the renewal of an OpenVPN server CA / Cert that needs to be renewed

        The server certificate or the CA cert?

        After renewing the CA + server certificate you have to rollout the CA cert to all clients. Also you will have renew all client certs.
        You should choose a long validity period for a CA cert like two decades.

        When renewing only the server cert, this is not needed.

        I 2 Replies Last reply Reply Quote 0
        • I
          ipguy @viragomann
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • I
            ipguy @viragomann
            last edited by

            This post is deleted!
            I 1 Reply Last reply Reply Quote 0
            • I
              ipguy @ipguy
              last edited by

              During the testing process, I successfully updated the server's certificate (CRT) with the expiring certificate authority (CA), which had a remaining validity of 6 months.

              Consequently, the new expiry date of the server CRT is now set to 2033. However, following this update, a remote test appliance is experiencing difficulties connecting to the VPN.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @ipguy
                last edited by

                @ipguy
                What exactly?

                As long as the server cert is issued by the same CA, which is used by the clients to verify the server cert, there should be no issue.

                I 1 Reply Last reply Reply Quote 0
                • I
                  ipguy @viragomann
                  last edited by

                  @viragomann

                  It appears that the system is rejecting the new CRT signed by the old CA

                  To add further complexity, we are in the process of renewing the server CRT on a new server running "pfSense 23.01-RELEASE (amd64)". The previous version of pfSense was "pfSense 2.4.2-RELEASE-p1".

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @ipguy
                    last edited by

                    @ipguy
                    For further investigation you have to provide the clients and server logs.

                    You can try to disable "Data Encryption Negotiation" on the server. If the client has an old config he might not support this feature.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.