Hi Alex, Both client and server accept certificates from a specific trusted Certificate Authority. If you keep the same CA, then you can just issue new certificates for server and clients, using that same CA.
If you have a new CA, you'll need to include both CA's, for both server and clients in advance, on their configuration file. Once it's propagated, you should be able to issue new certificates using the new CA, and they'll be accepted. Once all are running smoothly using the new CA, just remove the old one from the config files :) Hope this helps. Regards, Rui On Tue, Nov 26, 2024 at 5:33 PM Alex K <rightkickt...@gmail.com> wrote: > > Hi all, > > I was wondering how can one tackle the issue of issuing new certificates to > clients and the server which expire at some point with the minimum downtime. > The issue is that it seems I need to go with a big bang approach where the > server certificates are replaced with new ones and then have all the clients > updated somehow to use the new client certificates. This seems like a > headache when one has to manage hundreds of remote clients that might not be > accessible out of vpn. > > Is there any alternative approach which can resemble a gradual roll-out? > Perhaps through the use of additional vpn port at server side which uses the > new certificates and have clients updated to use the new port and fail back > to the previous one in case of issue? Looked also if I could load a stacked > certificate at the server and have the same server authenticate both existing > client certificates and new ones but the server was complaining about the > certificate. > > Apart from automating this with other tooling such as Ansible or code, is > there any other approach or openvpn feature that might help with such kind of > migrations? How do you usually tackle this problem? > > Thanks, > Alex > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users -- Rui Santos Veni, Vidi, Linux _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users