On 30.09.25 04:53, Leroy Tennison via Openvpn-users wrote:
Third point, are you suggesting that we use something different in the new ca.crt to distinguish it from the old one and useOn Monday, September 29, 2025 at 02:49:32 AM CDT, Jochen Bern <[email protected]> wrote:You might be able to change the roll-out process so that the new serverCA file and new client certs with some marker (say, OU=ImAlreadyDone) will be installed at the same time, then you could recognize unprepared clients by the missing marker as they auth ... ?
No, I'm trying to suggest a mechanism that might allow you to see *on the server side* which clients still don't have the updated CA file, by having a mark in the *client* certs.
In the OpenVPN default config, the "identity" of a cert-authenticated client essentially is the cert's subject *CN*, but every (re)auth gets logged with the full *DN*:
Sep 7 04:06:33 [...] VERIFY OK: depth=0, CN=Jochen Bern, OU=[...],
O=Binect GmbH, L=Weiterstadt, ST=Hessen, C=Deutschland,
[email protected]
Now suppose that whenever a client gets the new CA certs file installed, you *also* replace the client cert with one where the DN contains an additional "OU=YupIAlreadyGotIt". (And if you have clients that need a new cert but can *not* receive the new CA certs file on the same occasion, they still get one *without* that extra marker.) Then you can tell *from the server log* which (active) clients still lack the config update.
(... I haven't been using EasyRSA for long enough that I can't give you instructions on *how* exactly to do all that, though. Matter of fact, with that regime, the same info *should* IMHO also be available from the CAs' index.txt files ...)
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
