OpenVPN cert expiring, need to renew, and server migration
-
Gurus
I have a question pertaining to the renewal of an OpenVPN server CA / Cert that needs to be renewed
This cert is used on hundreds of "remote appliances"
Can I just renew the cert on the firewall and will the remote appliances just connect after the renewal as usual?
-
@ipguy said in OpenVPN cert expiring, need to renew, and server migration:
I have a question pertaining to the renewal of an OpenVPN server CA / Cert that needs to be renewed
The server certificate or the CA cert?
After renewing the CA + server certificate you have to rollout the CA cert to all clients. Also you will have renew all client certs.
You should choose a long validity period for a CA cert like two decades.When renewing only the server cert, this is not needed.
-
This post is deleted! -
This post is deleted! -
During the testing process, I successfully updated the server's certificate (CRT) with the expiring certificate authority (CA), which had a remaining validity of 6 months.
Consequently, the new expiry date of the server CRT is now set to 2033. However, following this update, a remote test appliance is experiencing difficulties connecting to the VPN.
-
@ipguy
What exactly?As long as the server cert is issued by the same CA, which is used by the clients to verify the server cert, there should be no issue.
-
It appears that the system is rejecting the new CRT signed by the old CA
To add further complexity, we are in the process of renewing the server CRT on a new server running "pfSense 23.01-RELEASE (amd64)". The previous version of pfSense was "pfSense 2.4.2-RELEASE-p1".
-
@ipguy
For further investigation you have to provide the clients and server logs.You can try to disable "Data Encryption Negotiation" on the server. If the client has an old config he might not support this feature.