OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Joergen on March 02, 2018, 01:37:04 pm

Title: renew of Certifikates
Post by: Joergen on March 02, 2018, 01:37:04 pm

Hello there

I am quite new to opnsense - so bear with me.
I can see that the web GUI SSL certificate and some self-signed certificates soon is to expire.
I am taking about the certificates used for VPN access as explained in the documentation "SSL VPN Road Warrior".

Is there any easy way to renew those 3 certificates?

Best regards
Joergen

Title: Re: renew of Certifikates
Post by: bartjsmit on March 02, 2018, 03:24:50 pm

The CA in the road warrior scenario doesn't need to sign the GUI certificate. You can replace the GUI certificate without any impact on your VPN server. A lot of people use the let's encrypt project for this.

If you are going to roll your own, then you may want to increase the lifetime of the new certificate to be more than the default 365 days to avoid having to do this once a year.

Bart...

Title: Re: renew of Certifikates
Post by: Joergen on March 03, 2018, 11:13:53 am

Thanks for the answer.

So there is no easy way to renew or extend the existing certificates or copy the settings from the old ones? – or do I have to make them from zero again?

That means I have to make new ones for the 3 certificates used for “SSL VPN ROAD WARRIOR”?
-   Authorities
-   CA OpenVPN server
-   CA Open VPN User
Is that correct?

Kind regards
Joergen

Title: Re: renew of Certifikates
Post by: bartjsmit on March 03, 2018, 04:16:53 pm

Is the root CA you set up for OpenVPN have a certificate that is about to expire? That is unusual; the certificate is normally set for a long time. Mine expires in 2036.

If the certificate at the top of your PKI expires, you will have to redo the whole lot.

Bart...