How to increase certificate expiration?

[PennyLook]

Hello, as far as I can see, the default expiration date of the certificate is 2 years from the creation date. Is it possible to somehow increase it to, for example, 10 years?

[d3vilh]

Hi @PennyLook It is currently set by default as recommended values to keep security be secure. But you can change it in ~/openvpn/pki/vars file (825 days is default):

# In how many days should certificates expire?
#
set_var EASYRSA_CERT_EXPIRE 825 

for 10 years it should be 3650, again im not recommend setting it for 10 years, in my practice 825 days is more than enough, keeping in mind that CRL will expires earlier.

[PennyLook]

What is the validity of the CRL?

How can I swap these certificates without losing the connection to the client?

The point is that I only have the ability to connect to the client over VPN - if I am to somehow "swap" these certificates it is only through a VPN connection. In case of losing the VPN connection I won't do it anymore

[d3vilh]

Here how you could check CRL expiration dates:

philipp@d:~ $ sudo docker exec openvpn /bin/bash -c 'openssl crl -in /opt/app/easy-rsa/pki/crl.pem -text' | grep -E "Last|Next"
        Last Update: Jul 23 14:07:12 2023 GMT
        Next Update: Jan 19 14:07:12 2024 GMT
philipp@d:~ $

Here how you update it:

philipp@d:~ $ sudo docker exec openvpn /bin/bash -c 'cd /opt/app/easy-rsa; . /usr/share/easy-rsa/easyrsa gen-crl -crldays 365'
* Using SSL: openssl OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
* Using Easy-RSA configuration: /opt/app/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
Using configuration from /opt/app/easy-rsa/pki/617d769e/temp.5fac7962
Notice
------

An updated CRL has been created.
CRL file: /opt/app/easy-rsa/pki/crl.pem

Then fix permissions and copy new CRL:

philipp@d:~ $ sudo docker exec openvpn /bin/bash -c 'chmod +r /opt/app/easy-rsa/pki/crl.pem'
philipp@d:~ $ sudo docker exec openvpn /bin/bash -c 'cp -p /opt/app/easy-rsa/pki/crl.pem /etc/openvpn/pki'
philipp@d:~ $ sudo docker exec openvpn /bin/bash -c 'openssl crl -in /opt/app/easy-rsa/pki/crl.pem -text' | grep -E "Last|Next"
        Last Update: Aug 18 13:21:22 2023 GMT
        Next Update: Feb 14 13:21:22 2024 GMT
philipp@d:~ $

Again, you can increase CRL lasting period in the same vars file, regenerate CRL and forget about it for next 10 years, but this is not secure as any Server should have enough attention.

Regarding swapping certificates. You can keep old certificate, while doing all these (CRL regen and changing vars parameters), as it only impacts on new certificates gen. It mean you can generate new cert when using the old one, then reconnect with new certificate with new expiration parameters and delete old one, or keep it until its expiration time.

Note, that after re-gen of new CRL you will need to restart the OpenVPN server for the changes to take effect. This is because the server needs to read the new CRL file and update its internal cache of revoked certificates.

[d3vilh]

Hi @PennyLook I finally add the option to change EasyRSA variable via OpenVPN - UI:

Here how it looks after the parameters change and generating of a new Cert:

Alice cert:

        Issuer: C=UA, ST=KY, L=Kyiv, O=SweetHome, OU=MyOrganizationalUnit, CN=server/emailAddress=sweet@home.net
        Validity
            Not Before: Aug 29 17:05:39 2023 GMT
            Not After : Aug 26 17:05:39 2033 GMT
        Subject: C=UA, ST=KY, L=Kyiv, O=SweetHome, OU=MyOrganizationalUnit, CN=Alice/emailAddress=sweet@home.net

Note the expiration date in 10 years.

The-Mad-Hatter cert:

        Issuer: C=UA, ST=KY, L=Kyiv, O=SweetHome, OU=MyOrganizationalUnit, CN=server/emailAddress=sweet@home.net
        Validity
            Not Before: Aug 29 17:07:28 2023 GMT
            Not After : Dec 16 17:07:28 2025 GMT
        Subject: C=US, ST=DE, L=NewCastle, O=ParentsHome, OU=DadOrganizationalUnit, CN=The-Mad-Hatter/emailAddress=parents@home.us

Here the expiration date is standard but all EasyRSA Org fields are different.

Please note that this will not affect on root CA which is generating during the first OpenVPN container start. For root CA you still need to update easy-rsa.vars aka /usr/share/easy-rsa/pki/vars before root CA init. For the case of openvpn-aws or raspberry-gateway you can set all these parameters in example.config.yml or custom config.yml files before running main playbook first time:

# EasyRSA configuration parameters.
easyrsa_dn: "org"                               # Leave this as-is. "org" for traditional, "cn_only" for CN only.
easyrsa_req_country: "UA"                       # The two-letter country code (e.g. US).
easyrsa_req_province: "KY"                      # The two-letter state or province code (e.g. CA).
easyrsa_req_city: "Kyiv"                        # The city of the organization.
easyrsa_req_org: "SweetHome"                    # The name of the organization.
easyrsa_req_email: "sweet@home.net"             # The email address of the organization.
easyrsa_req_ou: "MyOrganizationalUnit"          # The name of the organizational unit.
easyrsa_req_cn: "server"                        # The name of the common name.
easyrsa_key_size: 2048                          # Leave this as-is. Size in bits for your keypairs. The recommended value is 2048. up to 4096.
easyrsa_ca_expire: 3650                         # Number of days until the root CA expires.
easyrsa_cert_expire: 825                        # Number of days until certificates expire.
easyrsa_cert_renew: 30                          # Number of days before expiration to automatically renew certificates.
easyrsa_crl_days: 180                           # Number of days until the CRL expires.

if you just running OpenVPN container from hub.docker.com be sure your ./config volume at the first container start has easy-rsa.vars file as shown below.

Docker volume:

       volumes:
           - ./pki:/etc/openvpn/pki
           - ./clients:/etc/openvpn/clients
           - ./config:/etc/openvpn/config

easy-rsa.vars:

set_var EASYRSA_DN           "org"
set_var EASYRSA_REQ_COUNTRY  "UA"
set_var EASYRSA_REQ_PROVINCE "KY"
set_var EASYRSA_REQ_CITY     "Kyiv"
set_var EASYRSA_REQ_ORG      "SweetHome"
set_var EASYRSA_REQ_EMAIL    "sweet@home.net"
set_var EASYRSA_REQ_OU       "MyOrganizationalUnit"
set_var EASYRSA_REQ_CN       "server"
set_var EASYRSA_KEY_SIZE     2048
set_var EASYRSA_CA_EXPIRE    3650
set_var EASYRSA_CERT_EXPIRE  825
set_var EASYRSA_CERT_RENEW   30
set_var EASYRSA_CRL_DAYS     180

Then it will init root CA with all your parameters and finally you can change Org vars and expiration time with OpenVPN UI.

I think to have one new feature - the forceful Root CA re-init via OpenVPN UI webpage. To drop all OpenVPN server configuration and create new one from scratch following by new EasyRSA parameters. Will implement this someday in the future.

Please let me know if you still interested to test it :)

Thank you!

[PennyLook]

Hello @d3vilh Of course, I will want to check it out. How can I change my current version of openvpn-ui to this version with the option to change EasyRSA (that is, to the latest) without reinstalling the containers?

I'd like to do it seamlessly, since it's already a production version - I already have a several clients connected and I can't lose the connection between them - the whole OpenVPN configuration should be unchanged - if anything changes, I won't be able to connect to the clients anymore.

I use openvpn-aws

[d3vilh]

Hello @PennyLook It is reasonable, no rush with the upgrade. I'll include in release 0.6 straightforward upgrade instructions with backup and fallback steps.

[d3vilh]

@PennyLook 0.6 is out now, here is upgrade procedure. I successfully upgrade my own production environments to 0.6. The most challengeable part for me was OpenVPN Server settings review 🧐 you have to be very precise on this stage.

[d3vilh]

0.9 have more features for this :) Closing this thread as "implemented".