Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ca and Server certificate expiring soon

    Scheduled Pinned Locked Moved
    OpenVPN
    openvpn pfsense 2.6.0 certificates
    3
    4
    762
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrew98
      last edited by

      Good morning to all!
      I have a trouble with the OpenVPN software installed on a pfSense firewall, in particular i have an issue with the certificate.
      The CA and Server certificate will expire in a few days and my VPN (5 networks) is used by about 50 people.
      I have try to reissue the CA and then the Certificate but all vpn client can't connect after this operation, to fix it I have restored a backup done before the reissue.
      But now I'm at the starting point. Anyone have any suggestion to avoid updating 50 clients one by one?
      Thanks to all!!
      Andrew

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @andrew98
        last edited by

        @andrew98

        11c138bb-f1df-4d3a-a020-2f5a845048ed-image.png

        If you click, the existing certificate - in this the CA used by by OpenVPN server, will get renewed.
        NOT GREAT.
        The very first OpenVPN server restart will use the new CA ..... and thus it will invalidate all connections, as the OpenVPN client info need to be updates for all OpenVPN clients before the can continue.

        And I didn't even look (thinking !) about every certificate for every user ..... which should also be renewed as now based upon the new CA.

        I guess I would build a new OpenVPN server, create all the new certs CA and Certificates for everybody, do some testing, and all the ovpn files away - and on D-Day I would stop the old server, move the new server to the old port - and wait for the phone to ring as with 50 ++ users teher are always be some one who doesn't look his mails (with the new opvn file and you very details constitutions etc)

        Btw : I'm just thinking out loud here, I never had to renew what so ever myself. I'm still good for 2 years or so as my original OpenVPN CA was good for 10 years.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If you care less about security and more about making the transition easier, you can check the box on the CA renewal to reuse the serial number.

          The clients should still see it as valid since the serial is the same even though the dates are different. You may still need to eventually copy the new CA over to each client or they may be seeing their local copy as expired, too.

          https://docs.netgate.com/pfsense/en/latest/certificates/renew.html#renew-or-reissue-options

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • A
            andrew98
            last edited by

            @jimp I tried but unfortunately it didn't work, because the User Certificate that I use for export the OpenVPN Client have the same CA that the server certificate (I think).
            The final solution was to reinstall all OpenVPN clients on all devices, hard work but at least all users continue to work!
            Thanks for the support ๐Ÿ‘

            1 Reply Last reply Reply Quote 0
            • First post
              Last post