I have an OpenVPN server that only a few clients are using and due to heartbleed issue, I've simply recreated the server certificates.
I've also deleted all the previous certificate files from the server. My assumption is since I've regenerated the server certificates and keys, previously generated client certificates can't connect to server anymore, since their certificates are not signed with the new server certificates I've created.
I'm perfectly happy with this, I just want to make sure that someone can't connect using an old certificate. Am I right?
More details:
I've followed the OpenVPN guide here and (hopefully) rebuilt the certificate authority as well by doing:
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
Just before the steps above the guide says:
Enter the following to generate the master Certificate Authority (CA) certificate and key:
So my guess is I've replaced everything. My problem is I do not have the old certificates and in order to revoke them I need them!
Even more details:
I've gotten hold of a previously working client certificate and configuraiton and if I try to connect using that I get:
Wed Apr 16 17:48:22 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
So I think this is proof that previous client certificates will not work.
Best Answer
No, pre-existing clients using certificates signed by the previous CA certificate will no longer be able to connect when the CA cert/key are removed/regenerated.