From a189535563f1b48605115643585e036cd5631ac1 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 12 Jul 2024 18:16:19 +0200 Subject: [PATCH] Set client and server certificates validity to 10 years (#1235) Prevent #974 --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 06ad608..6c6a647 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -731,14 +731,14 @@ function installOpenVPN() { # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki - ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass + EASYRSA_CA_EXPIRE=3650 ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass if [[ $DH_TYPE == "2" ]]; then # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - ./easyrsa --batch build-server-full "$SERVER_NAME" nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in @@ -1085,11 +1085,11 @@ function newClient() { cd /etc/openvpn/easy-rsa/ || return case $PASS in 1) - ./easyrsa --batch build-client-full "$CLIENT" nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" nopass ;; 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa --batch build-client-full "$CLIENT" + EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added."