Replace OpenVPN Access Server VPN Server and CA Certificates

NOTE: Following this procedure will invalidate any client certificates currently in use with the OpenVPN Access Server. These clients will need to re-download their certificates from the OpenVPN Access Server to get connected using the updated certificates

Prerequisites

Create OpenVPN Server Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: OpenVPN CA
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: OpenVPN CA

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select Certificate Authority from the type list
  14. Update the validity dates to fit your needs
  15. Click the Key Usage tab
  16. Under Key Usage select Digital Signature, Key Agreement and Certificate Sign
  17. Click OK to create the certificate
  18. Click on the Certificates tab, right click on your Intermediate CA certificate again
  19. Select New
  20. On the Source tab, make sure Use this Certificate for signing is selected
  21. Verify your Intermediate CA certificate is selected from the drop down
  22. Click the Subject tab
  23. Complete the Distinguished Name section

    internalName: OpenVPN Server
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: vpn.i12bretro.local

  24. Click the Generate a New Key button
  25. Enter a name and set the key size to at least 2048
  26. Click Create
  27. Click on the Extensions tab
  28. Set the Type dropdown to End Endity
  29. Check the box next to Subject Key Identifier
  30. Update the validity dates to fit your needs
  31. Click the Key Usage tab
  32. Under Key Usage select Digital Signature and Key Encipherment
  33. Under Extended Key Usage select TLS Web Server Authentication
  34. Click the Netscape tab
  35. Deselect all options and clear the Netscape Comment field
  36. Click OK to create the certificate

Updating OpenVPN Access Server With New Certificates

  1. Open a web browser and navigate to phpMyAdmin
  2. Expand as > as_certs > certificates
  3. Check the boxes next to OpenVPN CA and OpenVPN Server > Select edit below the table
  4. In XCA, click on the Certificates tab > right click on the OpenVPN CA > Export > Clipboard
  5. Back in phpMyAdmin, clear the cert field for the OpenVPN CA and paste the contents of the clipboard
  6. In XCA, click on the Private Keys tab > right click on the OpenVPN CA > Export > Clipboard
  7. Make sure the format dropdown is set to PKCS #8 > Click OK
  8. Back in phpMyAdmin, clear the priv_key field for the OpenVPN CA and paste the contents of the clipboard
  9. In XCA, click on the Certificates tab > right click on the OpenVPN Server > Export > Clipboard
  10. Back in phpMyAdmin, clear the cert field for the OpenVPN Server and paste the contents of the clipboard
  11. In XCA, click on the Private Keys tab > right click on the OpenVPN Server > Export > Clipboard
  12. Make sure the format dropdown is set to PKCS #8 > Click OK
  13. Back in phpMyAdmin, clear the priv_key field for the OpenVPN Server and paste the contents of the clipboard
  14. Log into the OpenVPN Access Server admin interface https://DNSorIP:943/admin
  15. Click the Stop VPN services button
  16. Click the Confirm Stop button
  17. Click the Start VPN services button