Skip to content

Commit

Permalink
doc: Revoke and Renew, update for Easy-RSA v3.2.1 - Renew CA
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Aug 26, 2024
1 parent f71374d commit 0511a80
Showing 1 changed file with 42 additions and 1 deletion.
43 changes: 42 additions & 1 deletion doc/EasyRSA-Renew-and-Revoke.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,4 +190,45 @@ an old certificate/key pair, which has been _rebuilt_ by command `rebuild`.
Renew CA Certificate
====================

TBD
Easy-RSA Version 3.2.1+ supports a simple way to effectively renew a CA Certificate.

**Preamble** - Specifically for use with OpenVPN:

When a CA certificate expires it must be replaced, this is unavoidable.
No matter what method is used to create a new or renewed CA certificate,
that CA certificate must be distributed to all of your servers and clients.

Please consider the method outlined here, which requires very little work:

1. Make a backup of your current PKI, **before you do anything else.**

2. Use command `init-pki soft`

This will reset your current PKI but will keep your `vars` setting file and
your current Request files [CSR], in the `pki/reqs` directory.

3. Use command `build-ca`

(With or without password and other preferences).

This will build a completely new CA Certificate and private key.

Use option `--days` to extend the lifetime of your new CA.

4. Use command `sign-req <TYPE> <NAME>`

(With or without password and other preferences).

This will sign your existing request for each certificate that you choose.

This will NOT generate new private keys for each new certificate.

This will generate new `inline` files that can be distributed publicly.
These `inline` files will not contain any security sensitive data.

This means that you will have a new CA certificate and private key.
And signed certificates for all of your users, including servers.

5. Distribute the new `inline` files to all members of your PKI/VPN.

This is one of the simplest ways to renew your CA certificate.

0 comments on commit 0511a80

Please sign in to comment.