I can see that the VPN client certificate is valid for 20 years but still I’m curious to understand more about the renewal process and how is this supposed to happen because we may need to invalidate client certificate if it gets exposed somehow ?
Expiring certificates doesn’t have any security benefit. If a certificate is compromised allowing the compromised certificate to remain valid for a few weeks compared to indefinitely won’t change the outcome. It will only create security problems as the client would need to be designed to regularly transmit new certificates creating more opportunities for it to be compromised. The same understanding has been made with expiring passwords which are no longer recommended.
If you’re concerned with VPN profiles being compromised using device authentication will prevent any connections from unauthorized devices even if the VPN profile is compromised. Each connection will be authorized by the TPM/Secure Enclave on the client. These chips store keys physically isolated from the system.
1 Like
Just out of curiosity I also noticed that server certificate has validity of 20 years, what happen after that ?
what you mean ? certificate should have an infinite validity ? don’t it supposed to end at some point ? it will be time for a new rollout !
The current certificate expiration is 10000 days. This has been shorter in previous releases, early releases had a 10 year expiration. Some of the oldest Pritunl installations from 2015 will be reaching the expiration. A command has been added to handle this with sudo pritunl renew-org <org_id> this will update the CA certificate, server certificates and client certificates. The private key will remain the same so it will have minimal disruption. The client configuration sync can safely sync all of these certificates while still keeping the security requirement of not allowing private keys to be synced.