OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Why are VPN certificates valid for 10 years?

FAQ

The OpenVPN Access Server by default generates a server CA and private/public key pair that is unique to your server installation, for the purpose of verifying the identity of the OpenVPN server, and also to create and sign private/public key pair for each VPN account individually. The goal of all this is to make it possible for the VPN clients to verify the identity of the VPN server, and vice-versa, for the VPN server to verify the identity of the VPN clients. Each VPN user account on the Access Server gets its own private key and public certificate.

In other applications that use certificates, the lifetime may be much shorter. For example for HTTPS websites there are certificate providers that generate certificates that are valid for 2 years, or even certificate providers that generate certificates that are only valid for 3 months, and there are programs in place that automate the retrieval and renewal of these certificates (or it is done manually). Generally these type of systems rely on public methods to verify identity of a party like DNS records or domain registry contact information or such. They will use that information to confirm identity and then issue a new certificate. Another difference is that for example web servers are public and there is no pre-existinging trust relationship existing between you and the web site. You do not know the identity of the owner of the sites you visit, most likely, and they don't give you access using access keys, generally speaking. So with web sites, you do need a way to automate establishing trust, which we do by the use of public root authorities that every web browser is equipped with, and it can check the trust path between the public certificate on a stated web server name and see if it was checked and signed by a root authority we already trust. That is a fundamental difference with VPN, where you must have someone give you access in advance, and there is no public records to check.

Of course with VPN, the VPN clients do not have personal identifiable information in public records like web servers do to automate retrieval and renewal of certificates. So you need to go to the Access Server and log in using your unique credentials, and obtain the necessary files, to get started. And if the system administrator has disabled access to the web interface, then only the system administrator will be able to provide you with the required certificates and configuration to get your connection working. And once it is working, you would most likely prefer for it to continue working from that point on without having to revoke your certificates and reinstalling your VPN client when your certificate expires. And this is especially true if this is on unattended systems like servers or hardware devices that just need to be able to connect and stay connected without going in and replacing certificates regularly.

Please note that at any time a certificate can still be revoked from the Access Server side. There is a CRL (Certificate Revocation List) function in Access Server that allows the administrator to revoke VPN client certificates at will, so you still have full control in the event that, for example, a laptop gets stolen or lost, and the certificates on that laptop need to be revoked to ensure that nobody can abuse those certificates. They can just be revoked from the server side, and replacement certificates generated that are new and unique for that user.

Please note that Access Server has 2 components that use certificates, and one of them is the web services of the Access Server, which operates with certificate lifetimes and certificate trust relationship and management consistent with the rest of the Internet regarding certificates for websites, and another component where the certificates are used inside the OpenVPN tunnel protocol itself for server and client verification internally. These are 2 entirely different structures. Therefore, as a default for our own internal key infrastructure, we have chosen 10 years as the default lifetime for VPN certificates, to ensure there is no need to re-provision VPN clients at a regular interval. This default is chosen for you when the server is installed, however, if you start out with a new server installation, you can use the command line to select your own certificate lifetime.

 

Share