Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
[OBE] Certificate Expiration - Alternatives to Starting Over?
« previous
next »
Print
Pages: [
1
]
Author
Topic: [OBE] Certificate Expiration - Alternatives to Starting Over? (Read 4341 times)
seamus
Jr. Member
Posts: 80
Karma: 1
[OBE] Certificate Expiration - Alternatives to Starting Over?
«
on:
March 06, 2019, 07:26:11 pm »
My CA (cert. authority), OpenVPN cert and my user cert have all recently expired. As a consequence it seems, I can no longer connect to my OpenVPN server (a very bad thing). I am back in the office here for a few days, and hope to get everything repaired quickly.
I have read
https://forum.opnsense.org/index.php?topic=5592.0
in this forum that the solution for this is to create a new CA and certs. However, it seems (based on this Q&A:
https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal
) that it is possible to renew a root CA, such that existing certs will become valid again.
Can anyone comment on this? Is it possible to "renew" without starting over?
«
Last Edit: March 07, 2019, 02:55:43 am by seamus
»
Logged
seamus
Jr. Member
Posts: 80
Karma: 1
Re: [OBE] Certificate Expiration - Alternatives to Starting Over?
«
Reply #1 on:
March 07, 2019, 03:03:14 am »
Just to follow up & hopefully avoid wasting anyone's time: I never found the "shortcut" I was hoping to find. Instead, I just created a new CA, generated new certs for server and user, and edited the OpenVPN server config to use them. It seems to be working now, so I'm moving on.
Just as an afterthought, I would like to say that I feel OPNsense, as good as it is, would benefit from a notification or message in the "lobby" to the effect that a cert has expired.
Logged
newsense
Hero Member
Posts: 1037
Karma: 77
Re: [OBE] Certificate Expiration - Alternatives to Starting Over?
«
Reply #2 on:
March 07, 2019, 06:48:40 am »
That was the right approach.
Arguably depending on needs, a better option would have been to create a 10 year 4096 key RootCA with one or more IntermediateCAs either with a 3072 or 2048 key size and issue certs signed by the subCAs. For a simple setup however it is way overkill.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
[OBE] Certificate Expiration - Alternatives to Starting Over?