Certificate renew question

maverick_slo

Hi.

I have OpenVPN server with cert that will expirte 13 JAN 2028.
Yeah I know that we have a lot of time, but we also have like 450 certificates for OpenVPN clients...

So we would like to start to renew certs on endpoints.

Please correct me if I`m wrong here:

1. Renew CA and use:
   a) Use same key
   b) Use same serial

2. We can then renew OpenVPN server cert
   a) Do we use same key or not?
   b) Do we use same serial or not?

3. Then we can start to renew client certs

Am I correct that all existing clients with existing certs will work just fine in this scenario?

Additional question:
From GUI, when renewing CA or server cert is there ANY way to renew for MORE than 10 years?
Because we don`t want to renew OpenVPN certs any more... like ever :)

Thanks!

Gertjan

@maverick_slo

It's the other way around.
Very soon ;) the OpenVPN client will not accept certificate that are older then xx month (a couple of year max).
Ok, you'll say, we never upgrade OpenVPN anymore, we'll never upgrade pfSense anymore etc.
This means, it's ave betting that your pfSense, OpenVPN, won't last for 10 years from now on.
or this one : tomorrow, next month or next year, a serious certificate flaws will be discovered. Then you'll have to do something, as security matters.
All this is hypothetical of course, but your betting on the fact that nothing changes ..... like no zero day security issues anymore ? Serious ?

For some good news :
You are not the only one that uses certs for OpenVPN that lasts for '10 years', I do to. And yes, I'm in year 8 also.
And guess what, we are not the only ones. So, on this forum - use the search button - you'll find what to do, using the less disruptive way.
One method that I can mention right away : create a second OpenVPN server, using port 1194, with a new CA, etc. Make new client configs, and hand them over.
And from then on, move your VPN users by batches, like 50 a month, or all at ones. If needed, they can fall back to the original original server on port 1193, as with the OpenVPN you (they) can select which config they use.

maverick_slo

@Gertjan
So If we have 450 clients (Windows, Iphone, Ipad, Android) how can we rotate certs without interruption if only valid for few months?

Lol better to migate to real enterprise solution sooner than later.

I understand that if cert flaw if found to jump on it and resolve it, and sure, we update pfsense box regulary.

I cant use port 1194, we use 443 TCP which is working great (compared to 1194 in restrictive enviroments)...

maverick_slo

@Gertjan
Very soon ;) the OpenVPN client will not accept certificate that are older then xx month (a couple of year max).

Source? I think this will never happen, or at least if it does, there will be a switch somwhere to ignore max. validity or to override this nonsense.

Gertjan

@maverick_slo said in Certificate renew question:

Source?

Just my brain .... ( common sense, actually ^^ )
And also : what is the motive that, for example Letenscrypt doesn't deliver certificates last for at last one year as all certificate authorities did in the past ?

But as I shouldn't trust my brain, I fired up a browser and asked the question : why ?
Why are certificates limited in time? and you find dome motives right away.
Or Why ninety-day lifetimes for certificates?
Or SSL Certificate Validity Drastically Shortened: 90-day Renewals

Ok, true, these are for web servers, browsers and so on. Not the same thing as your own CSR, CA, and so on.
But encryption types, also evolve, as does encryption hardware.

@maverick_slo said in Certificate renew question:

I cant use port 1194, we use 443 TCP

I understand. I mentioned 1194 as an example. I never dealt with that issue myself, that a remote OpenVPN user couldn't use the default OpenVPN port 1194 because the remote network admin, the one my OpenVPN user uses, can't connect because its blocked.
IMHO, that's pretty sick. Why not blocking port 443 also, as that one also contain a lot of TLS (encrypted) traffic ?
Since 2020 (2019 ? - covid) is pretty known by now that port 1194 is used to connect to 'not local' private resources like company network, as people have to work from home, or other, not 'work' places.
But I get it, the issue exists.

edit : pfSense still allows you to create CAs that last for 3650 days.

maverick_slo

Please correct me if I`m wrong here:

Step 1:
Renew CA and use:
a) Use same key
b) Use same serial

Step 2:
We can then renew OpenVPN server cert
a) Do we use same key or not?
b) Do we use same serial or not?

Step 3:
Then we can start to renew client certs

Am I correct that all existing clients with existing certs will work just fine in this scenario?

Can somebody please confirm this will work?
I can't do new server on new port and with new CA...

maverick_slo

Sooo I did some extensive testing on my home box...

1. Renew CA - use same key and same serial
2. Renew server cert - use same key and NOT use same serial

In this scenario all existing certs are valid and can connect without an issue. If I renew client cert it also connects without an issue.

What is more interesting is this:

1. Old CA was valid to today for example
2. When I generated client cert with that CA it was valid for 10 years and NOT until today like my old CA
3. So this probably mean that this cert, generated with old CA and valid for 10 years will also be valid with NEW CA and NEW server cert in place :)

So if you have like 400 clients like I do it is IMHO OK if CA is valid for 10 years, then just renew CA and server cert approx. 2 years before expiration and take care of certs that are expiring and that's it :)

And then, repeat after 8 years...

Thoughts or criticism?
Can it really be this simple and straightforward or am I missing something?