On Wed, 28 Sep 2022 10:40:07 -0400, Joe Patterson <j.m.patter...@gmail.com> wrote: >On Wed, Sep 28, 2022 at 10:08 AM Bo Berglund <bo.bergl...@gmail.com> wrote: >> >> I have been using OpenVPN for a rather long time now and I have realized that >> there is a risk tat the server certificates may expire as well as the >> clients. >> The servers all run on Linux (Ubuntu server and Raspberry Pi) but clients are >> both Linux and Windows and actually also some ASUS routers... >> >> How can I check when this will happen? >> The clients use OVPN files with embedded crypto stuff and the server uses a >> set >> of crypto files in subdir etc/openvpn/keys. >> >> If I can check this and it turns out that they will be expiring in the near >> future, then what can I do to extend the life of them? >> Do I have to re-create the entire set of server and client certs? >> >> Notice: >> The certs were created using easy-rsa on the servers back when the system was >> created and new clients have been added over the years also using easy-rsa on >> the servers.
>The general form of what you want to do is: > >openssl x509 -in file.crt -noout -text | grep 'Not After' > >If you use the same command against the client files with the embedded >crypto, it will give you the expiration date of the first certificate >block, which *might* be your client cert, or *might* be your CA cert, >depending on how the file is structured. > >you can manually copy the chunk between <cert> and </cert> and then >run it through openssl, or do something cleverish like: > >grep -A 100 -F '<cert>' openvpn.conf | openssl x509 -in - -noout -text >| grep 'Not After' > >Hope this is helpful. Thanks, so my OVPN files are structured like this: client dev tun proto udp remote <server domain address> 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server key-direction 1 cipher AES-128-CBC comp-lzo verb 1 mute 20 <ca> -----BEGIN CERTIFICATE----- block of characters -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- block of characters -----END CERTIFICATE----- </cert> <key> -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,60C3A5C2A94EB51F block of characters -----END RSA PRIVATE KEY----- </key> <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- block of characters -----END OpenVPN Static key V1----- </tls-auth> I don't know what each of these crypto sections does and if they contain some expire info... Or which section contains the date... -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
