Extend validity of a OpenVPN certificate

ssl-certificate openvpn

This is very nice question :-).

Technically : yes (at the end the client could use expired one to connect)
Easily : no

In principle it is not possible as CA sign the cert request with specific time of validity so it cannot be extended. What you can do it create new certificate and the tricky part could be in the process of issuing and in the process of checking the validity.

At the beginning it would be fair to mention that following stuff is technically related to certificates in general and I didn't test it with openvpn - if it would not pass the overall answer would be NO :-(.

In openVPN configuration there are 3 parameters related to certificates - ca, key and cert.

  • key : private key for the data signing. Can be used for decrypting the data encrypted by the cert.

  • cert : public key (derived from key) to confirm the validity of the data signed by the key. It can be used for encrypting the data for the key. This would be provided to the "other end" during secure connection negotiation. / this scenario works with the case that valid cert could be already known on remote end so sending the cert may be optional and provided expired one could be ignored /

  • ca : It is used to check the validity of the cert provided during secure connection negotiation.

Once the client cert is expired the case is that just cert is outdated. The key in principle is not expiring and CA should not be expired (in that case it is totally different use case ;-) ). Cert contain validity period and it is part of "envelop" signed by the CA in x.509 structure.

It is good practise to generate new key with generating new cert but there is nothing forcing this step so technically it is not problem to create CSR (Certificate Signing Request) using the same key like actually expiring certificate. In case you have available old CSR you can use it directly for new cert. Once this CSR is signed with CA the new cert is derived from the "old" key.

The tricky part is that you need (one of):

  • deliver this new cert to current user to replace the cert

  • get know the server about this certificate so it can be used instead of expired one provided by the client (this is the theory part on this use case ;-) )

What I know is that you can combine more CA certs in ca file linked in the configuration on server without issue (in PEM format). Technically "user" cert and "ca" cert differs in parameter saying if it could be used as CA. So technically you can combine CA cert with this newly generated cert into one file...

Once this file will be in place (the most probably restart of openvpn server will be needed) you can try to establish new connection. Once the client with the key would try to connect it may happen that the server will be able to "identify" the key based on hash paired with this client cert located on server and ignore the certificate provided by the client (this have to be tested). Technically (point of view of certificate as technology) it would work but I didn't try it with openVPN. As openVPN is using external library for SSL stuff it may be working approach ;-).

On client side is needed CA to proof the server side (this is not expired), key to sign and decrypt the communication (this is not expired) and own cert is not really needed for local operation so expired one is not really an issue. The cert of the server is get during SSL negotiation and checked using local CA cert so all needed is available (local key, remote cert).

The cons of this approach is that you are a little bit loosing benefit of CA as single cert for client cert validating (you need to have it listed on server side next to CA cert) but on the other side the plus would be possibility of renewing the cert...

In case you will try it feel free to provide feedback...

Good luck!

The other approach in case of planning could be issue long validity range certificate and utilise CRL (Certificate Relocation List) to revoke non valid cert during the time. But this is not a scope of this question...

Related

How to add multiple dependencies to debian package?
Setting a temporary ip address and gateway on linux server
Are there STUN implementations that can sometimes handle symmetric NATs?
Windows Disk Cluster for Hyper-V Failover Cluster
It seems that a robot is creating a lot of user accounts on my website
kube-apiserver exits while control plane joining the HA cluster
PowerShell remoting with a one-way trust
overwriting default $PATH
Is it possible to know/resolve multiple DNS names to IP "wildcard like"?
Samba and luks encrypted disk together: Huge performance loss despite plenty of CPU resources, LUKS and samba alone works as expected
Ansible unable to reach multiple hosts
How to draw a shape using a piece of image in php