easy-rsa
easy-rsa copied to clipboard
OpenVPN
Renew CA/sub-CA
Hi,
I have been learning about Easy-RSA and PKI in general. I've read several articles about planning a PKI that say to renew the CA with the same key halfway through its lifetime and to create a new key near the end of its lifetime.
I am not sure about the benefits of renewing halfway through yet, but I did notice there is no way to do so with Easy-RSA. At least not that I have been able to find, so please correct me if I'm wrong.
Would it be a useful extension to Easy-RSA? If not, why?
@dewydex Renewing a CA is considerably different to renewing a general certificate.
Your link is not appropriate.
@TinCanTech With respect, your response is not accurate (especially given a "subordinate CA" which is not altogether dissimilar from any other type of certificate configuration).
The only thing I see as being "not appropriate" is the attitude being expressed... It's highly problematic when you're making statements like "I intend to remake Easy-RSA renew, as it should have been done in the first place." and "renew sucks .. don't use it. -- Until further notice." in #609, to then be dismissive of community input regarding the core-substance of those very features which impact the real-world use and stewardship of this project.
If you don't see the problem here, then I'd kindly ask you to reflect further with other members of "OpenVPN" and "easy-rsa" community before your communications continue to tarnish this software's legacy and alienate community members who are equally interested in its upkeep and maintenance.
@dewydex If there is a problem with how Easy-RSA is being maintained then I invite you to start your own issue and stand by it. Otherwise, your comments here are deemed to be off-topic.
@ecrist You should be involved here before any other bridges are burned. This type of animosity and community interaction is not conducive to the longevity of this project.
@dewydex I have not censored you in any form and yet you continue to hijack this unrelated issue ..
Yeah. Catching up now. I'll dig into this myself I guess.
Eric Crist
On Jun 23, 2022, at 6:46 PM, Roughstone @.***> wrote:
@ecristhttps://github.com/ecrist You should be involved here before any other bridges are burned. This type of animosity and community interaction is not conducive to the longevity of this project.
— Reply to this email directly, view it on GitHubhttps://github.com/OpenVPN/easy-rsa/issues/379#issuecomment-1165017748, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AANXQP3Z6HSFQTFXT5V56CDVQTZMBANCNFSM4MYW4B6A. You are receiving this because you were mentioned.Message ID: @.***>
The problem with renewing a CA certificate, for use with OpenVPN, is that the new CA certificate must be distributed to all the clients.
The problem of distributing data to the clients is exactly the same with a renewed CA, as it is with a new CA.
Equally as important is, the fact that OpenVPN has changed enough in TEN Years, that it is good practice to update your clients with completely new config files, to take account of important security related changes.
IMHO, for EasyRSA to have a CA renewal command gives a false sense of security.
Renewal of CA does not change the security aspect of certificates. Yes, you need to distribute a new CA certificate to clients and servers. But all certificates already issued may remain valid as long as their expiry dates are still valid after the CA expired.
Please consider this scenario:
A CA was built with settings, which 10 years later, are now deprecated. Before expiry, however, the user decides to drop security levels, in openVPN, to allow the VPN to continue to function.
Now, when the CA is renewed with EasyRSA, the old vars is not changed and the renewed CA is built with the same insecure settings, because the settings work ..
That is what I mean by a false sense of security.
If you disagree then simply build your CA with a 200 year expiry date, in the first place.