OpenVPN CA expiring, impacts of renewing it?
-
Our self signed VPN CA and cert are expiring in about a month as it's been 10 years since we rolled it out.
Looking at the docs, I see that the CA can be renewed but I'm not sure about the implications of keeping or regenerating the serial # on the CA in relation to OpenVPN.
We use user auth (not cert auth) with a shared TLS key and clients are Viscosity on Mac and the exported OpenVPN client on windows.
Will renewing the CA require a new configuration payload for either client?
Thanks!
-
You're going to need to roll out new client configs containing the updated CA, but how much of an impact that is can be lessened.
If you are renewing it well ahead of the expiration, renewing the CA and keeping the same serial number could give you some leeway where the clients will still see it as valid while you hand out new updated client configs with the new CA.
Alternately, make a whole new fresh CA structure and server and migrate users over to it instead of renewing the old one.
If the CA is already expired, then it doesn't really matter what you do, the server cert will not be seen as valid on clients since they hold a copy of the now expired CA locally. Clients will be down until you get them a new copy of the CA.
-
@jimp Thank you for the reply.
Since I have ~200 VPN clients who don't all log on every day, is there a way to start pushing out new configs (new or renewed CA) but also have existing configs work?
If not I can push out new configs with a new connection called "use after $date" and then deal with the 20% of users who won't read it and start to complain :)
Thanks
-S -
@ScottCall said in OpenVPN CA expiring, impacts of renewing it?:
Since I have ~200 VPN clients who don't all log on every day, is there a way to start pushing out new configs (new or renewed CA) but also have existing configs work?
If the CA is not yet expired, then renewing the CA and reusing the serial number will allow existing clients to work until the CA expires, while new clients you roll out can also connect to the same server.
If not I can push out new configs with a new connection called "use after $date" and then deal with the 20% of users who won't read it and start to complain :)
As I mentioned earlier you could setup an entirely new CA and OpenVPN server and start handing out clients for that one at any time. You can run more than one so long as they use different addresses. No need to make them wait to start using it, they could migrate over right away. As an added bonus this method also means you can see exactly who has updated and who hasn't, so you know which slackers to target before the old CA expires.
-
@jimp said in OpenVPN CA expiring, impacts of renewing it?:
If the CA is not yet expired, then renewing the CA and reusing the serial number will allow existing clients to work until the CA expires, while new clients you roll out can also connect to the same server.
Okay so I think I understand.
1> Renew CA with same serial #, certs will be recognized by existing clients but only until original CA expiration date.
2> Roll out new configs with new CA cert and those will work now until the new CA expiration.I really appreciate the help
Thanks
-S