I solved the issue above as follows.
- Create a backup and open it e.g. with 7-Zip
- Import Certs and Key into a new DB of https://hohnstaedt.de/xca/
- Right-Click Server-Cert and choose “Umwandeln -> Ähnliches Zertifikat” (Transform -> Similar Cert)
- Add “Schlüsselverwendung” (Key Usage) [Digital Signature, Key Encipherment, TLS Web Server Authentication]
- Export Server-Cert as PEM
- Replace the insufficient Cert inside IPFire “/var/ipfire/ovpn/certs/servercert.pem”
I downloaded it with curl from my own Web-Space, but SSH, SCP will do also. Please check file ownership and rights.
You can do “openssl verify -CAfile …/ca/cacert.pem servercart.pem” in Directory “/var/ipfire/ovpn/certs”.
Is it possiple to “Patch” the backup-file or do you do some signature-checks?
Because you do not change the Keys or CA you can update Expiry Dates too. But I recomment to do it wisely.
Exchange an expired Server-Cert including Key should be fine because the trust depends on the CA (notary).