OpenVPN - expired certificates

Server certificates

CA certificate

In case that CA certificate (lets name it ca.crt) gets expired, clients can't connect to the OpenVPN server anymore. You need to generate new CA certificate signed with the same key (usually named ca.key) as the old one to avoid the need to regenerate all client certificates also.

Use following command to do so:

openssl x509 -in ca.crt -days 36500 -out ca.crt.new -signkey ca.key
  • 36500days = 100years = validity of the new ca.crt
  • rename ca.crt to ca.crt.old
  • rename ca.crt.new to ca.crt
  • restart / reload OpenVPN
  • distribute new ca.crt to all clients
  • check server certificate - it usually expires also, because both are generated during OpenVPN installation and usually have the same validity

Server certificate

In case that server certificate gets expired, simply generate new one using easy-rsa scripts:

. vars
./buid-key-server server
  • reload / restart OpenVPN after that

Client certificate(s)

When client certificate gets expired, you can generate new one using previous .csr file this way:

. vars
./sign-req <certificate-name>
  • send the new .crt file to the client
  • client's .key file is not changed => same password, we don't need to know it to generate new .crt

Like my blog? What about to buy me a beer?

Bitcoin address: 1LzmUcwHK5Ys4zGPRoxYodjzpJsWiG61JY

Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.

[[error]]