Renew CA - Githubissues

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility

Other

4.07k stars 1.2k forks source link

Renew CA #936

Open TinCanTech opened 1 year ago

TinCanTech commented 1 year ago

You want to renew your CA and your OpenVPN keeps on working.

This is not possible.

All of your clients require the renewed CA certificate.

The renewed CA certificate MUST be forwarded to your clients, there is no alternative.

Source: https://github.com/OpenVPN/easy-rsa/issues/379#issuecomment-1294722949

Linked-to: https://github.com/OpenVPN/easy-rsa/issues/609#issuecomment-1465464705

Even after considering this absolute fact, EasyRSA has the option to offer a minor, secure shortcut.

The question:

Is renewing a CA any different to building a new CA ?

Can EasyRSA make renewing your old CA easy and Secure ?

Maybe ...

aduzsardi commented 1 year ago

afaik the openvpn ca file/option can take more than one CAs , if this is the case ... one solution for expiring CA would be to not issue new client/server certificates once is about to expire and the new issued leaf certificate would exceed the life span of the CA

at that ponint , just create a new CA and carry on

TinCanTech commented 10 months ago

This is authoritative information, provided by David Sommerseth, OpenVPN Inc: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07265.html

TinCanTech commented 10 months ago

Because renewing a CA is more complicated than building a new CA, Easy-RSA does not renew the CA.

The recommended procedure is to use:

easyrsa --days="$hasta_la_vista" build-ca

Where $hasta_la_vista is the expected lifetime of your CA.

But I must draw your attention to: #941

aduzsardi commented 10 months ago

Thanks for the updates @TinCanTech

I just want to reiterate that my solution works as expected, tested a couple of weeks ago When your original CA is about to expire , just don't issue any new client/server certificates with it and build a new one.

Add the new CA certificate in the list of <ca></ca> of the VPN server so that the server can authenticate client certificates issued by the new CA. Unless you also replace the server certificate to use the new CA , you should include the OLD CA in your clients <ca></ca> list

This way both old and new clients can authenticate until all the old certificates expire and the OLD CA is decommissioned

TinCanTech commented 10 months ago

@aduzsardi Your approach is acceptable, I shall take another look at this. Thank you for your persistence ;-)

TinCanTech commented 3 weeks ago

EasyRSA v3.2, simple renewal of an expired CA certificate:

https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Renew-and-Revoke.md#renew-ca-certificate

TinCanTech commented 2 weeks ago

For command init-pki soft, it has been recommended by OpenVPN developers that keeping the old CA key is more useful than creating a new CA key.