From 0511a80dd733f3955ba36cd75765fda45396e990 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 26 Aug 2024 22:33:34 +0100 Subject: [PATCH] doc: Revoke and Renew, update for Easy-RSA v3.2.1 - Renew CA Signed-off-by: Richard T Bonhomme --- doc/EasyRSA-Renew-and-Revoke.md | 43 ++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/doc/EasyRSA-Renew-and-Revoke.md b/doc/EasyRSA-Renew-and-Revoke.md index c4a0b025..5f562e4d 100644 --- a/doc/EasyRSA-Renew-and-Revoke.md +++ b/doc/EasyRSA-Renew-and-Revoke.md @@ -190,4 +190,45 @@ an old certificate/key pair, which has been _rebuilt_ by command `rebuild`. Renew CA Certificate ==================== -TBD +Easy-RSA Version 3.2.1+ supports a simple way to effectively renew a CA Certificate. + +**Preamble** - Specifically for use with OpenVPN: + +When a CA certificate expires it must be replaced, this is unavoidable. +No matter what method is used to create a new or renewed CA certificate, +that CA certificate must be distributed to all of your servers and clients. + +Please consider the method outlined here, which requires very little work: + +1. Make a backup of your current PKI, **before you do anything else.** + +2. Use command `init-pki soft` + + This will reset your current PKI but will keep your `vars` setting file and + your current Request files [CSR], in the `pki/reqs` directory. + +3. Use command `build-ca` + + (With or without password and other preferences). + + This will build a completely new CA Certificate and private key. + + Use option `--days` to extend the lifetime of your new CA. + +4. Use command `sign-req ` + + (With or without password and other preferences). + + This will sign your existing request for each certificate that you choose. + + This will NOT generate new private keys for each new certificate. + + This will generate new `inline` files that can be distributed publicly. + These `inline` files will not contain any security sensitive data. + + This means that you will have a new CA certificate and private key. + And signed certificates for all of your users, including servers. + +5. Distribute the new `inline` files to all members of your PKI/VPN. + + This is one of the simplest ways to renew your CA certificate.