On 08.01.24 13:02, Peter Davis wrote:
1- What tool do you use to generate server and client keys?
Whichever happens to be in current use in the environment in question. None of what we've been talking about so far is an issue with EasyRSA in particular (beyond the Internet handing you how-tos that hurt my eyes with the "nopass"es sprinkled everywhere), it's about basic concepts of certs and PKIs and what objects are usually more long-lived than others.
2- Assume that the keys have expired. Do I have to generate a new key again or can I renew the previous keys that I have copied in the server and client directory?
*Keys* don't expire (at least not with the cryptalgorithms in current use, and other than by slowly losing their edge in the race against codebreakers). Certs and CRLs do.
You don't necessarily need a new *keypair* to create a new *cert* for it(s public key), but in the case of *decades old* keypairs, replacing those as well *might* be a good idea.
Not all data can be recovered from whatever remains after you deleted/lost/... certain other; that's the *purpose* of crypto. If you start deleting stuff without an understanding of what circumstances might arise and require you to use it again, you *WILL* eventually see the entire project roll over and fall to pieces, usually well after its go-live.
(Another pro tip: Don't set a CA cert's validity period to end on a "neat" date, *especially* not 01-Jan 00:00. Unless you're at work at that time, anyway, and fond of doing BIG surprise tasks on your lonesome.)
I still don't quite understand why I shouldn't delete the Easy-RSA directory after generating the keys!
Because you don't delete your government every time you have been issued a new ID, either. It's a TRUSTED institution, and "been around and fully operational for a *long* time" (compared to how long the information it certifies remains valid) is an expected aspect of being trustworthy. What you're trying to create is the equivalent of "I would like to have your passport confirmed by the issuer, but it seems that your national authorities ceased to exist".
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
