Migration from old to new certificates

nike-on

Junior Member

Join Date: Apr 2024

Posts: 1
Share

Tweet
#1

Migration from old to new certificates

2024-04-04, 09:20 AM

Hi, I am looking for help to migrate from an old certificates (server/ca) with weaker encryption (SHA-1) to a new certificates (server/ca) with newer encryption (SHA-2 512 or ED25519) and allow all old users to connect using old certificates to a new OpenVPN server that would have a newer certificates. Thus, allow all new users to connect with them new certificates to the same OpenVPN server.

I cannot use the procedure of exchanging certificates for everyone at once, because there are over 100 people. We have to go through this slowly and painlessly.
Is there any advice for this?
Tags: migrating versions
openvpn_inc

Administrator

Join Date: Mar 2024

Posts: 11
Share

Tweet
#2

2024-04-11, 09:26 AM

Hi N-O,

What the proprietary OpenVPN Access Server does: it creates a new CA annually, and all certificates are cross signed by all active CAs. It's a lot of work to get this right, which is why AS is not free software.

Your easiest choice is to run another instance of openvpn on the same server host (different IP address or port.) Migrate users to the new server instance in manageable groups.

Note that another instance will have to use a different VPN netblock, but that is not a problem as routing rules should make it work seamlessly for old server and new server users.

hth, regards, rob0

OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Comment

Migration from old to new certificates

Migration from old to new certificates

Comment