Hi @Trollen 

Thanks for posting in our business forum.

The cert will only calculate once and the cert will last 10 years long after the generation.

This cert will be universal to the OVPN servers you've created on the router.

The keys are different for every server you've created. Because the keys are generated differently every time you create a new server and export the .ovpn.

What's your config like? I do not take private messages regarding the issue.

For example, old(A), and new(B). AB two servers are the same in the config?

Are OpenVPN certificates hardware-hard-coded ?

Hi @Trollen 

Thanks for posting in our business forum.

I prefer the discussion is open if it does not come to the sensitive information.

Trollen wrote

  @Trollen

Hi Clieve 

is it possible that we can continue this conversation in a closed tread or similar ? 

 

however this is what I think. 

Why Two Configurations Work:

• If two configurations (old and new) work simultaneously, the router is likely configured to accept the same certificate and key across multiple server instances. The router's OpenVPN server may lack mechanisms to differentiate between old and new credentials once generated.

Do you have a way to verify the .ovpn?

I know that you came to this conclusion based on the connection you have made.

But regarding the problem, I think there is nothing as strong as the video to illustrate everything you have experienced.

So you experienced this problem which has a past and current file and server, you need to show the video/picture of the past and current comparison and the test result. 

Trollen wrote

Important Considerations:

• Certificates and keys should ideally be unique for each OpenVPN server instance.

Client certs and (private)keys are different for each server. The link I pasted earlier, clearly shows the result. Unless you can prove your statement.

Trollen wrote

• If a new certificate is issued, the old certificate and key pair should be invalidated unless explicitly configured to be reused.

To the second point, what the exact "new cert" do you mean here?

Trollen wrote

Why the Public Certificate Can't Have Two Passwords:

• Certificates are tied to their corresponding private keys through cryptographic algorithms.
• A single certificate cannot support multiple private keys or passwords because:
  • The certificate is mathematically bound to its private key.
  • Changing the private key would invalidate the cryptographic signature

• Client certs and keys are generated by calculations to verify the login from a user. And they are bound together unlike the CA cert.
• CA cert is to verify the server status and identify instead of the clients which means a single (CA) cert can support multiple client cert and private keys.
• That is correct.

Trollen wrote

 

regarding the certificated used 

the router is limited only to accept selfsigned certificate for the implementation of the OpenVPN server , see my former feature request.

 is not possible to use other that the certificate that router is born with, I suspect the routers building certificate are used, so I did a test.

I first think you have a misconception or misuse of the terms in the following description.

We don't support that and you have a request for that. I am aware of that. While it does not support this now, this is self-evident and cannot be used as proof of the issue described.

And to the conclusion/result you want to test which I don't quote here, they are not the same and CA cannot be the same because every calculation generates a different self-assigned CA after a reset. Fit the behavior and expectations.

Trollen wrote

 

regarding the certificated used 

the router is limited only to accept selfsigned certificate for the implementation of the OpenVPN server , see my former feature request.

 is not possible to use other that the certificate that router is born with, I suspect the routers building certificate are used, so I did a test.

1) save all the configuration of the routers settings.

2) reset the router to factory default,

3) apply the saved configuration again.

4) the router how have a new pair of certificate pub and key created on the router as self signed. 

5) result the router now only accept the new base certificate and key file , the old one is diregarded as the certificate has been replaced.

6) however if you just delete you open server configuration on the router and then recreate it that will still use the current certificate and key which should not happen.

I hope it is clear let me know if and how you want to continue this conversation . I will prefer not in a open forum.

I remain Trollen

 

 

This is expected and how the system works. CA is the same regardless of what servers you have created.

I also looked up some third-party OVPN servers, they behaved the same way.

If possible, I would recommend you verify this with the OVPN official and see if the conclusion is the same. If it is, the problem is no longer on our side. It is the OVPN official's guideline on the CA generation and cert.

In summary:

• CA is self-assigned and the same once it generates, which is also the common practice. Our last 10 years unless you reset it.
• The client cert and (private) key are different from the servers you have created.
• We don't support importing your own CA and have no plan to add it yet. This should not be brought up in this case as they don't correlate. It is a feature request.

What you described is clear but not true so far until you can provide something concrete.

I hope it is clear from my side with everything I typed here.

I am after the proofs from you as what you said is against what I tested before in another post and the fact I discussed with the dev.

https://www.reddit.com/r/OpenVPN/comments/pl1phi/two_openvpn_servers_with_identical_certificates/

https://www.reddit.com/r/synology/comments/1f2y4mc/does_openvpn_server_use_1_and_the_same/