Access Server

Follow us

How to replace the Access Server private key and certificate

There are two options that an Administrator can use for importing signed SSL Certificates into OpenVPN-AS:

Method 1:

You can import the certificates using the "Web Server" page in the Admin UI:
OpenVPN Web Certificates

Method 2:

You can replace the certificate via the backend:

To replace the automatically-generated key and certificate with a new key and certificate issued by a trusted CA (Certificate Authority), take the steps listed below.

1. Make sure you know the desired hostname for your server. This name will be the public name used by VPN clients to connect to your Access Serve, and it should also be specified as the "Hostname or IP Address:" on the "Server Network Settings" page in the Access Server Admin Web UI. The hostname will be encoded in your certificate from the CA, so it will not be changable.

2. Make a copy of the files in /usr/local/openvpn_as/etc/web-ssl/ into a backup directory, just in case.

mkdir /root/keyfiles_bak
cp /usr/local/openvpn_as/etc/web-ssl/* /root/keyfiles_bak

3. Generate the new keypair and CSR (Certificate Signing Request)using these commands on your Access Server host machine:

cd /usr/local/openvpn_as/etc/web-ssl
openssl genrsa -out new.key 1024
openssl req -new -key new.key -out new.csr

In the last step, you will be prompted for input. Your CA may have certain requirements on the fields you specify. Often it is desirable to have the Common Name on the CSR match the hostname of your server. An example run of the above commands is shown below. Note that several fields are left blank by just hitting Return at the input prompt.


# openssl genrsa -out new.key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
# openssl req -new -key new.key -out new.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Anytown
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Exampletronix, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Give the contents of the "new.csr" file to your CA (via a Web upload or email or whatever method is preferred).

5. The CA may perform additional verification of your identity and/or your rights to use the names you specified. You may also have to pay for the certification service. In the end, the CA will provide a certificate and probably also a bundle with one or more CA certificates. All of these certificates should be PEM-encoded text strings, including BEGIN/END lines:


6. Save the server certificate (issued by the CA) as the file server.crt in /usr/local/openvpn_as/etc/web-ssl (overwriting the existing file).

7. Copy the new.key file as server.key in /usr/local/openvpn_as/etc/web-ssl.

8. Save the CA certificate bundle as ca.crt in the /usr/local/openvpn_as/etc/web-ssl directory. The CA certificates should appear in order, with the first certificate being that of the CA that issued the server certificate, and the last certificate being that of the "trusted root CA". The certificates can be concatenated, with the BEGIN and END lines included (so that the BEGIN line of one certificate follows the END line of the previous one).

7. Restart the Access Server using this command:

service openvpnas restart - or
/etc/init.d/openvpnas restart

The new key and certificate should now be in use.