Renew CA/sub-CA

[TinCanTech]

You want to renew your CA and your OpenVPN keeps on working.

This is not possible.

All of your clients require the renewed CA certificate.

The renewed CA certificate MUST be forwarded to your clients, there is no alternative.

Source: #379 (comment)

Linked-to: #609 (comment)

---

Even after considering this absolute fact, EasyRSA has the option to offer a minor, secure shortcut.

---

The question:

• Is renewing a CA any different to building a new CA ?

---

Can EasyRSA make renewing your old CA easy and Secure ?

Maybe ...

---

[aduzsardi]

afaik the openvpn ca file/option can take more than one CAs , if this is the case ... one solution for expiring CA would be to not issue new client/server certificates once is about to expire and the new issued leaf certificate would exceed the life span of the CA

at that ponint , just create a new CA and carry on

[TinCanTech]

This is authoritative information, provided by David Sommerseth, OpenVPN Inc:
https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07265.html

[TinCanTech]

Because renewing a CA is more complicated than building a new CA, Easy-RSA does not renew the CA.

The recommended procedure is to use:

easyrsa --days="$hasta_la_vista" build-ca

Where $hasta_la_vista is the expected lifetime of your CA.

But I must draw your attention to: #941

[aduzsardi]

Thanks for the updates @TinCanTech

I just want to reiterate that my solution works as expected, tested a couple of weeks ago
When your original CA is about to expire , just don't issue any new client/server certificates with it and build a new one.

Add the new CA certificate in the list of <ca></ca> of the VPN server so that the server can authenticate client certificates issued by the new CA.
Unless you also replace the server certificate to use the new CA , you should include the OLD CA in your clients <ca></ca> list

This way both old and new clients can authenticate until all the old certificates expire and the OLD CA is decommissioned