[PLUG] Check your OpenVPN certification expire dates

Louis Kowolowski louisk at cryptomonkeys.org
Mon Feb 29 22:47:14 UTC 2016 

There are service checks for things like nagios that will alert you on an upcoming expiration of ssl certs for many services. I believe it may also offer the ability to check a file.

> On Feb 28, 2016, at 6:06 PM, Keith Lofstrom <keithl at kl-ic.com> wrote:
> 
> Check the expire dates on your openvpn encryption keys
> and certifications!
> 
> Friday morning, anticipating an important email that was
> worth $600 to answer ... I instead I saw a string of
> mail failure messages.  I soon learned that my slowly
> accumulating OpenVPN network, all based on the same
> self-signed certification, was disconnected because that
> certification was 3650 days old, and had timed out.
> 
> I am still repairing most of the network, but I finally got
> the vital email link running.  Spam is flowing again! (1)
> 
> The ancient network was 1024 bit keys and rather
> disorganized.  I used the disaster to renumber the "tun"s
> and organize the network better.  I set encryption key
> length to 3076 bits - and the expire dates much further
> out.  I also reorganized the key creation system so I
> can rebuild more quickly in case of a security breach.
> 
> The sad fact is that OpenVPN will not warn you about
> upcoming certificate expirations.  10 years is quite
> long enough to forget how you did it, and when you
> will need to rebuild it next.
> 
> SO:  look at your keys and certs, stored by default
> in /usr/local/ssl, and see if they are due to expire.
> Here's the appropriate lines from one of my old keys:
> ---------------------------
> ...
> Validity
>            Not Before: Feb 28 05:23:33 2006 GMT
>            Not After : Feb 26 05:23:33 2016 GMT
> ...
> ---------------------------
> 3650 days is the default chosen by "easy-vpn", and is
> 10 years minus two or three leap days.
> 
> I imagine many of you learned about openvpn the during the
> same years I did.  You may come to grief soon.  The tools
> and formats have changed, so it is better to learn and use
> them /before/ everything goes to hell.  I made it harder
> for myself because of renumbering the network, but better
> organization will make this task a lot easier when I have
> to do this next time, after my 90th birthday ...  :-)
> 
> Keith
> 
> (1)PS: While rebuilding postfix (very sensitive to DNS and
> firewall setup), and looking at ancient mail logs for past
> errors, I guestimated that I've probably filtered half a
> billion spams in the last 10 years.  Oh, if I could only
> collect the $300 per-spam tort penalty that the law
> allegedly offers.  At Apollo program prices ($20B in 2015
> dollars), at least 90 of us could walk on the moon ...
> 
> --
> Keith Lofstrom          keithl at keithl.com
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowski                                louisk at cryptomonkeys.org
Cryptomonkeys:                                   http://www.cryptomonkeys.com/

Making life more interesting for people since 1977

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20160229/90598270/attachment.asc>

More information about the PLUG mailing list