>On Monday, January 8th, 2024 at 3:59 PM, Gert Doering <[email protected]> >wrote:
> Hi, > > On Mon, Jan 08, 2024 at 12:02:58PM +0000, Peter Davis via Openvpn-users wrote: > > > 1- What tool do you use to generate server and client keys? > > > Something homegrown, based on easy-rsa > > > 2- Assume that the keys have expired. Do I have to generate a new key again > > or can I renew the previous keys that I have copied in the server and > > client directory? > > > You can create a new certificate (.crt) for the same key (.key). Or you > can create a new key + new certificate. > > The peer is interested in a valid certificate - and that is the thing with > the expiry date. The key does not have an expiry date, so it can not > expire. > > > I still don't quite understand why I shouldn't delete the Easy-RSA > > directory after generating the keys! > > > If you throw away the easy-rsa directory, you remove your certificate > authority, and can never again create a client or server key+cert that will > be trusted by the existing setup. So, "no new clients" and "no new servers". > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany [email protected] Hi, Thanks again. I forgot to tell you that this is an internal server. I have other questions: 1- Assuming my vars file is as follows: export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="NY" export KEY_ORG="GreatCoder" export KEY_EMAIL="[email protected]" export KEY_OU="OpenVPN" I generated the server and client keys and then deleted the Easy-RSA directory. After a few months I revoke the keys and create a vars file again with the above information. I generate server and client keys again. Does this cause a problem? I guess deleting the Easy-RSA directory becomes a problem when my keys are going to be used on the Internet! 2- Isn't the expiration date of the keys 365 days by default? 3- If the Easy-RSA directory should not be deleted, then should there be an Easy-RSA directory for each server? _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
