Hi, On Mon, Jan 08, 2024 at 11:54:23AM +0100, Jochen Bern wrote: > In a nutshell, if a specific CA certificate is used(!) in the config of > whatever OpenVPN peer and is about to expire, you'll need to have it > replaced, yes, *in every such config*.
What we do here ("we" being "one of the companies I support that use
OpenVPN") is to have personal certificates that expire after one year,
so every employee is used to "go to the portal and get a new .ovpn
once a year".
So when I need to change things (like, roll out tls-auth, get rid of
compression in client configs, new corp CA, etc.) - I just change the
template on the portal, and wait for a year - magically, all user configs
are updated.
Of course this only makes sense if there's a significant number of users -
if it's just like "5 users", I'd send everyone a new .ovpn and make sure
they start using it in a timely fashion ;-)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
