On 08.01.24 15:09, Bo Berglund wrote:
OK, in my case there are only a handful of clients so I could presuambly do the following by creating new server crypto files from scratch:
If you'd like to get into enough detail to come up with a step-by-step recipe, you should IMHO specify *which* certs exactly are about to expire and need to be replaced in the process - just the CA, or the server's as well? (Or maybe it's *just* the server cert ... ?)
Creating a new CA cert *without* changing the keypair and then rolling that out to the clients would be particularly useful if it allows you to keep the server cert unchanged, assuming that the server cert's nominal lifetime exceeds that of the CA; for as long as the old CA cert is still valid, *either* CA cert in whatever client's config would have the server cert accepted. Problem though, I don't know whether *EasyRSA* has a command/procedure to create a CA cert that way.
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
