if i add an new client with openvpn-addclient, the key expire date ist set to 3 years


The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'tes8'
Certificate is to be certified until Nov  5 15:43:00 2023 GMT (1080 days)

in file /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf and /etc/openvpn/easy-rsa/keys/openssl-easyrsa.cnf

i had set "default_days    = 5000"

but, all new keys are still set to 3 years.





Jeremy Davis's picture

FWIW, the OpenVPN default is 30 days. Whilst that is probably a best practice ideal timeframe and that keys should be regularly rotated (and it does significantly reduce the window of opportunity of a disgruntled ex-employee leveraging an unexpired, but revoked certificate from attacking your system).

On the flip side though, it's a bit of a pain to rotate certs every 30 days. So as a matter of convenience, we'd bump it a bit higher. 10 years appears to be a really popular choice, but we thought that's perhaps too long. So we plucked the arbitrary figure of 3 years out of the air and chose that. Personally, I think it's a good happy medium that minimises attack vectors from lost devices and de-authorised users; whilst also meaning that you don't need to rotate keys all the time.

Anyway, if you are using OpenVPN for your own purposes and don't care about any potential risks from revoked, but unexpired clients, then you should be able to change the "default_crl_days" in /etc/openvpn/easy-rsa/openssl.cnf. You should see our note above about the fact that we've updated it to be 3 years. IIRC you'll need to restart the OpenVPN server and regenerate all clients for the update to take effect.


in openssl-easyrsa.cnf, there is

default_days    = $ENV::EASYRSA_CERT_EXPIRE

Is is not possible to change the $ENV variable?

If i put the line

default_days    = 3650

in openssl-easyrsa.cnf

I get

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating a RSA private key
writing new private key to '/etc/openvpn/easy-rsa/keys/private/test10.key.K9DnEM6xcf'
Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'test10'
Certificate is to be certified until Nov  8 07:11:36 2023 GMT (1080 days)


Add new comment