On Sun, 7 Jan 2024 20:22:49 +0100, Jochen Bern <jochen.b...@binect.de> wrote:
>On 07.01.24 06:50, Peter Davis via Openvpn-users wrote: >> As you can see, I have moved the files to /etc/openvpn/server directory. > >Correction: You have copied SOME files to that directory, namely, those >that the server needs. > >> Now if I ignore the warning message above, what is the risk? > >Then you'll lose the content of those files that only the *CA* needs, >and thus the ability to continue operating that (first) CA, in particular: >-- You'll be unable to create a CRL, whether it is to actually revoke a > cert or just to replace an expiring one. >-- When the (first) server cert expires, you'll be unable to have a new > one created by the same CA, thus requiring a config change on *every* > client - wherever and in whosever hands it is - before it'll be able > to connect to the VPN again. > Hello Jochen, this brings up a related issue I have wondered about and don't know the answer to: If you have a couple of OpenVPN servers operating off of certs and keys generated back in 2014 (like I have), then these are probably set to expire this year 2024 because I think that the easyrsa I used back then sets a 10 year life of these. What is the proper procedure to refresh these so the servers will continue to operate into the future? I assume there are things that needs to be done on the server side, right? But do you additionally have to create updated OVPN files for the clients as well? Or is there some other procedure that can be used? Or do you have to start over? -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
