Openvpn and managing / preventing expiring certificates

RBotes · August 25, 2020, 12:54pm

Hi there

We recently had the joy of a legacy non-Belana device estate suffer from an unforeseen expiry of OpenVPN certificates (turns out 10 years is not that long…) which has prompted us to find out whether the good folks at Balena have a mechanism in place to prevent / detect / address this? Much searching and googling has not returned any hits, so I’m putting this out there.

The ca.crt on a brand new Belana device I have imaged today states “Valid From: 12 DEC 2013” and “Valid Until: 10 Dec 2023” - a bit too close for comfort, and once bitten, we are twice shy.

Kind regards
R

wrboyce · August 25, 2020, 8:21pm

Hi Reece, the OpenVPN CA is managed by our os-config software which gets its info from the API. In short, the CA is managed by balena-cloud and we have the capacity to rotate them when necessary. Hope this answers your question! Thanks.

RBotes · August 26, 2020, 7:03am

Brilliant, thank you