Bug 11742 - OpenVPN: No method to replace expired certificates
Summary: OpenVPN: No method to replace expired certificates
Status: ASSIGNED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: Will only affect a few users Minor Usability
Assignee: Erik Kapfer
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-24 13:54 UTC by Tom Rymes
Modified: 2023-04-04 20:08 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Rymes 2018-05-24 13:54:23 UTC 
I set up an OpenVPN user and now the certificate has expired. There is no way in the WUI to regenerate the certificates, other than deleting the connection and recreating it. It would be nice to be able to click a button to create a new certificate that is not expired, and then copy that down to the client.
Comment 1 Michael Tremer 2018-06-18 14:24:42 UTC 
Erik, would you be up for working on this?
Comment 2 Erik Kapfer 2018-06-18 15:19:07 UTC 
Hi all,
as far as i know this is not possible, other than a renewal of the root CA the client certificate have a certain validity date which can not be changed.

Explained a little also in here --> https://serverfault.com/questions/462108/renew-ssl-client-certificates .

May there are ways which i do not know but if, i think they are more complex then deleting the old expired and create a new client certificate (a new exchange to remote needs to be done anyways).

If one find a good workaround, please post it.

Best,

Erik
Comment 3 Michael Tremer 2018-06-18 15:43:33 UTC 
No, you cannot really extend the same certificate. It would be revoking the old
one (if not expired already) and then creating a new certificate with the same
name.

I think there is huge benefit in this since certificates can run out and they
should. When you need to delete the client and then recreate it and manually
copy all other settings that's a bit excessive. One button that just replaces
the certificate and keeps everything else as is is quite helpful.
Comment 4 Tom Rymes 2018-06-18 17:27:26 UTC 
Could we not just generate new, non-expired certificates and replace the old ones (on the server). The user would then have to manually download and install the new cert, of course.

If required, I presume, we could effectively delete and replace the existing connection in the background, but re-use all of the old settings so as to remain transparent to the user.

It's not the end of the world, but it is a pain to have to delete and then set up a new one, rather than just renewing the existing connections.
Comment 5 Michael Tremer 2018-06-18 17:29:47 UTC 
ACK!
Comment 6 Michael Tremer 2023-02-22 12:26:14 UTC 
This will be a small step further towards this:

> https://patchwork.ipfire.org/project/ipfire/patch/20230222122534.259972-1-michael.tremer@ipfire.org/
Comment 8 Erik Kapfer 2023-03-23 13:50:50 UTC 
Hi all,
there seems to be a bug report for this patch --> https://bugzilla.ipfire.org/show_bug.cgi?id=13066 whereby the relation to this ID has not been seen i think.

Best,

Erik