Recommended method for migrating from SHA1 cert to SHA512 cert
-
In looking at the recent CE 2.7.1release documentation I realized we have a couple of old certs that need to migrate from SHA1 to SHA512 (SHA256 or higher). Anyone that has done this in the past with road warriors and OpenVPN how have you handled it well? Or what do you recommend avoiding?
One method I was considering was to issue a new CA CERT and Server CERT and then place the new certificates on each road warrior system as a "backup" cert until it is needed in a couple of weeks.
Is there a better way?
Edit: Also, what am I forgetting?
Thanks!
-
Would it be a better idea to Create Another CA with an updated cert and a New Server Cert and migrate all of the VPN clients as we can get them in?
Anybody do this previously?
-
If you have not yet upgraded to 2.7.1 or later, then creating a new CA + Server Cert + OpenVPN Server (+User Certs if you have them), and so on is ideal. You can then migrate users to that while both can still function.
If you have already upgraded to 2.7.1 and the current server can't work because of the weak certs, then you're better off just creating the CA+Certs again and using them on the current server, then getting the new files to users and so on.
-
@jimp Thanks for the clarification. We have not upgraded to 2.7.1 and we will attempt to get that changed over seamlessly for the user.
