I have a client certificate that expired couple of weeks ago. CA, server, and CRL certificates on the VPN server are all still valid.
On the server, I updated EasyRSA to version 3.2.0 and I followed the steps described to renew the expired client cert:
In a post on the interwebs, I read someone suggest that since the renewed cert uses the same old key as was used for the previous client cert, it is not necessary to transfer it to the client, and that the client will be able to connect. My own testing suggest otherwise, i.e.: client is unable to establish a tunnel until the new cert is imported.
Does the client need the new cert locally? or did I miss something in the the renew process on the server?
My environment:
1. Rocky Linux 8.5
2. openvpn-2.4.11-1.el8.x86_64
3. EasyRSA Version: 3.2.0
Any feedback would be greatly appreciated. Thanks.
On the server, I updated EasyRSA to version 3.2.0 and I followed the steps described to renew the expired client cert:
Code:
# ./easyrsa expire user1 # ./easyrsa sign-req client user1 # ./easyrsa revoke-expired user1 superseded # ./easyrsa gen-crl
Does the client need the new cert locally? or did I miss something in the the renew process on the server?
My environment:
1. Rocky Linux 8.5
2. openvpn-2.4.11-1.el8.x86_64
3. EasyRSA Version: 3.2.0
Any feedback would be greatly appreciated. Thanks.