Am 03.03.16 um 22:04 schrieb ValdikSS: > Hello everyone, > > I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 > bit one without a hassle for a clients. > From a X.509 perspective it shouldn't be a problem, and I already have new CA > self-signed and cross-signed with old CA, it should work just fine. > > While there's no problem authenticating clients from both old and new CA > using single instance (multiple certificates in --ca are supported, this > information is > documented), I need to send two certificates from OpenVPN server: server > certificate, which is signed by new CA, and cross-signed new CA with old CA. > This way > it should work for clients either with old or new CA in configuration files. > > Shouldn't sending the new CA chain only be enough? Since it is (cross)signed by the old CA, the client will accept it. For the old clients the new CA will look like an intermediate certificate.
Arne
