Expire an openvpn-admin client certificate sooner
I noticed that the VPN client certs returned by openvpn-admin are good for 10 years. We would like to be able to grant access to a specific environment for a much shorter time period, like days or weeks. I don’t see an option to specify an expiration date when generating a client cert. Is the any way to accomplish this with the existing tools? --- <ins datetime="2022-05-24T12:46:09Z"> <p><a href="https://support.gruntwork.io/hc/requests/108654">Tracked in ticket #108654</a></p> </ins>
You should be able to control this using the `--cert-expiration-days` flag on `init-openvpn` in the server boot script. When set, this will update the OpenVPN server to expire any newly generated client certificates in that number of days. Note that this setting is shared with the server key generation as well. If you wish to have different expiration days between server and user certificates, the recommendation is to launch an OpenVPN server with the server key expiration setting first, have the OpenVPN server generate the server keys, have the OpenVPN server back it up to S3, and then redeploy the server using the user key expiration setting. It is currently not possible to adjust the certificate expiration days through the `openvpn-admin` request call. We're tracking this request in https://github.com/gruntwork-io/terraform-aws-openvpn/issues/197.