Many thanks in advance. I’ve read the other posts on this subject, but unable to locate the logs or files showing in those posts. Im running 2.29 Core 190. Ive been working on VPN certificates that will pass PCI DSS compliance scans. The default certificates would work, except that they have a ridiculously long expiry date that is trashed by PCI DSS scans. So I need to create certificates with max 825 day expiry date. In my testing, I’ve created, deleted and recreated default certificates several times. There are no entries in ovpnconfig or /certs/index.txt files, so I’m not sure where it could be reading a duplicated CN. All files seem to be in /var/ipfire/ovpn.
If I could find a config file to reset the long expiry date down to 825 days that would be optimal. Otherwise, I need to get past this OpenSSL error so that I can continue using easyrsa or other cert gen software and keep testing.
I am presuming that you mean the CA certificate here and not the client certificates as those have a default value of 730 but these can be modified in the WUI page when creating the client certficate.
The days valid number for the CA certificate is set at 999999 days in the code for the OpenVPN WUI page.
The only way to change the CA valid days is by modifying the number in the code for OpenVPN WUI page but if there is an update that changes or re-ships the OpenVPN WUI code then your change will be overwritten.
Bear in mind that if you change this to a shorter time, then when it expires and you renew it then you will also have to re-create all the client certificates again and provide them into every client system that can be connected to your OpenVPN system.
You might also need to change the number it in the ovpn.cnf file which has the various ssl defaults in it. Again this could be overwritten with a new Core Update release depending on the changes made.
It might even be that only changing it in the ovpn.cnf file is enough if the values from that file override entries for the same options in the WUI code but I would have to test that to be certain and I won’t be able to do that till later today.
You probably need to change the days number in line numbers 1836 & 1883 in the file /srv/web/ipfire/cgi-bin/ovpnmain.cgi
and line number 20 in the file /usr/share/openvpn/ovpn.cnf
I have absolutely no familiarity with this PCI DSS requirement. However I find it hard to believe that they would require a Certificate Authority (CA) to have their CA certificate re-issued just over every two years? I also can’t imagine that being required for any self signed CA that is being used as is done with the OpenVPN server.
EDIT:
I managed to get some time earlier and have just tested it out.
The entry in the ovpn.cnf for default_days is not used so that entry does not need to be changed.
The days in line number 1836 changes the valid days for the root certificate for the CA and line 1883 changes the valid days for the host certificate for the CA.
I changed those entries to 825 days and the end date for the root and host CA certificates was set at 2027 instead of 4762.
Just be prepared to replace all your client certificates when you have to replace the root and host certificates for the CA.
Those articles are related to OV, DV and EV certificates.
OV - Organisational Validated
DV - Domain Validated
EV - Extended Validation
These are the certificates that the CA’s provide to their customers. It is not covering the CA time validity.
For a typical CA that provides certificates, such as Lets Encrypt, ssl2buy, cheapsslshop, namecheap ssl certificates etc they have between 10 and 20 years validity on their CA certificates.
For the CA certificates for things like the OpenVPN x509 then all firewalls that I am aware of use self signed ones (including all the white box router/firewalls provided by ISP’s and the expiry date for those CA’s is likely to be long.
If the OpenVPN CA expires after two years and a user has for example 1000 clients that connect with their laptops or phones, then when that OpenVPN CA expires then all those client connection certificates will no longer be valid and after the CA has been re-created then the IT organisation will need to get all 1000 clients to visit the central organisation to have the new client connection certificates installed on their laptops or phones or they will need to provide a certificate connection package to all those client users so they can self install the new client connection certificates.
Until those new certificate connections are re-installed the users will not be able to use the OpenVPN connection.
EDIT:
Just checked. Both pfsense and opnsense use self signed certificates for the root/host CA for OpenVPN and their default is 3640 days, so 10 years.
Thank you so much for the explanation Adolf. Perhaps a more thorough explanation of what I’m seeing on my end will help:
The PCI DSS standards are set to ensure secure credit card transactions for agencies or companies that accept credit card payments. They are looking for 825 days or less on certificates that are attached to the firewall. When I remove the CA and keys from the ipFire, we pass compliance 100%. However, we have a single user that needs remote access to network shares 3-4 days a month, so we opted to use OpenVPN since it is built in to ipFire.
As soon as I generate a certificate using the GUI, I fail compliance scans. I receive an SSL Certificate - Signature Verification Failed Vulnerability and SSL Certificate - Invalid Maximum Validity Date Detected.
I’m open to any recommendations to overcome the scan issue, or to provide another option to allow the single user access to the resources she needs without using OpenVPN.
Thank you again for taking time to review my issue.