[OBE] Certificate Expiration - Alternatives to Starting Over?

[seamus]

My CA (cert. authority), OpenVPN cert and my user cert have all recently expired. As a consequence it seems, I can no longer connect to my OpenVPN server (a very bad thing). I am back in the office here for a few days, and hope to get everything repaired quickly.

I have read https://forum.opnsense.org/index.php?topic=5592.0 in this forum that the solution for this is to create a new CA and certs. However, it seems (based on this Q&A: https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal) that it is possible to renew a root CA, such that existing certs will become valid again.

Can anyone comment on this? Is it possible to "renew" without starting over?

[seamus]

Just to follow up & hopefully avoid wasting anyone's time: I never found the "shortcut" I was hoping to find. Instead, I just created a new CA, generated new certs for server and user, and edited the OpenVPN server config to use them. It seems to be working now, so I'm moving on.

Just as an afterthought, I would like to say that I feel OPNsense, as good as it is, would benefit from a notification or message in the "lobby" to the effect that a cert has expired.

[newsense]

That was the right approach.

Arguably depending on needs, a better option would have been to create a 10 year 4096 key RootCA with one or more IntermediateCAs either with a 3072 or 2048 key size and issue certs signed by the subCAs. For a simple setup however it is way overkill.