Recovering SSL web certificates from the config DB

Who this guide is for

It has happened on occasion that people have installed an SSL web certificate on their Access Server, and that they needed to pull these files back out of the Access Server. For example, in the case of a wildcard certificate and you want to use that same SSL certificate for another server. Or just to make a backup in case the original files are lost, or when you want to transfer the SSL certificate to a new installation. Because Access Server stores the files in the configuration database, which is in SQLite3 format, it may be a little difficult to retrieve the original files. With the guide here, however, it is possible to pull the data out of the configuration database and store it in separate files again. Please note that this guide is only of any use to people that have already installed a commercial SSL certificate with private key and intermediary (CA) bundle files, and wish to recover these from the Access Server.

We're assuming you're on a Windows system. If you're on another system the connection program and steps may be different but the commands to extract the data are the same on the server.

Backing up an already installed SSL certificate via CLI

In order to do so, you will need SSH access to your Access Server. To begin, you will need to launch a SSH client such as PuTTY to connect to your server using SSH. You will need root privileges to be able to do these tasks. If you are not able to log in as root directly but have to log in as another unprivileged user account, and then sudo su to get root privileges, then that's fine too.

Start PuTTY and connect to the IP address of your server on port 22, SSH, and click 'Open'.

Enter the server's username and password. It must have root access. This is not the VPN client username!

Execute command: cd /usr/local/openvpn_as/scripts/

Intermediary (CA) bundle file:

Execute command: ./confdba -gk cs.ca_bundle

Scroll up (if necessary), start selecting from BEGIN CERTIFICATE, and stop when you hit the last END CERTIFICATE.

The CA bundle is now copied to the clipboard. Open up a text editor, paste the contents into the editor, and then save the file as ca.pem.

Private Key file:

Execute command: ./confdba -gk cs.priv_key

Scroll up (if necessary), start selecting from BEGIN RSA PRIVATE KEY, and stop when you hit END RSA PRIVATE KEY.

The Private Key is now copied to the clipboard. Open up a text editor, paste the contents into the editor, and then save the file as server.key.

Server certificate file:

Execute command: ./confdba -gk cs.cert

Scroll up (if necessary), start selecting from BEGIN CERTIFICATE, and stop when you hit END CERTIFICATE.

The Server Certificate is now copied to the clipboard. Open up a text editor, paste the contents into the editor, and then save the file as server.crt.

You now have a backup of the files as they were submitted to the Access Server originally when the certificates were installed.

To install these files back onto an Access Server

You can follow the procedure via the Admin UI: How to install an SSL certificate in Access Server via the Admin UI
Or you can install via the command line interface: How to install an SSL certificate in Access Server via the command line interface