OpenVPN: moving server onto different device

el_berto · June 22, 2020, 5:52pm

Hi to all users!
I successfully made OpenVPN server tests on RB750.
Now I would like to move to a different hardware, such RB4011.
How can I create new VPN server keeping all old certificates/configurations?

I created certificates using following script:

:global CN [/system identity get name]
:global COUNTRY "CA"
:global STATE "MYSTATE"
:global LOC "MYCITY"
:global ORG "MyOrg"
:global OU ""
:global KEYSIZE "2048"

:global waitSec ($KEYSIZE * 10 / 1024)



:put "generate a CA certificate"
/certificate 
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

:put "generate a server certificate"
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE"  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

:put "create a client template"
/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" organization="$ORG" unit="$OU" common-name="client"  key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

I’m not sure about exporting/copying files and or certificates on new hardware…
Thanks.

sindy · June 22, 2020, 7:30pm

To copy a certificate to a new destination, you have to export it (using /certificate export-certificate) along with its private key; to do that, you have to specify the export-passphrase when exporting it.

Depending on the export type chosen, you may get both the certificate and its private key in a single file (type=pkcs12), or each in a separate file (type=pem). If you export it as pem, on the destination machine, you have to /certificate import first the .crt file (you don’t need to enter the passphrase at this moment), and then the .key file (and this time you have to enter the passphrase).

By exporting a CA certificate and importing it in a new destination, the links between the certificates signed by that CA certificate and the CA certificate get lost, so you’ll likely lose the ability to revoke those certificates using a CRL, if you ever planned to do so.