OpenVPN - expired certificates

Server certificates

CA certificate

In case that CA certificate (lets name it ca.crt) gets expired, clients can't connect to the OpenVPN server anymore. You need to generate new CA certificate signed with the same key (usually named ca.key) as the old one to avoid the need to regenerate all client certificates also.

Use following command to do so:

openssl x509 -in ca.crt -days 36500 -out -signkey ca.key
  • 36500days = 100years = validity of the new ca.crt
  • rename ca.crt to ca.crt.old
  • rename to ca.crt
  • restart / reload OpenVPN
  • distribute new ca.crt to all clients
  • check server certificate - it usually expires also, because both are generated during OpenVPN installation and usually have the same validity

Server certificate

In case that server certificate gets expired, simply generate new one using easy-rsa scripts:

. vars
./buid-key-server server
  • reload / restart OpenVPN after that

Client certificate(s)

When client certificate gets expired, you can generate new one using previous .csr file this way:

. vars
./sign-req <certificate-name>
  • send the new .crt file to the client
  • client's .key file is not changed => same password, we don't need to know it to generate new .crt

Like my blog? Want to buy me coffee or beer?

LTC (litecoin): LeWzkcV2ArRv7Bi7TmrTpwkp6j2CZSLwfY

BTC (bitcoin): 1LzmUcwHK5Ys4zGPRoxYodjzpJsWiG61JY

DOGE (dogecoin): DQmS6EdDXssriDgSBpQMxYicHTiji6kMhx

ETH (ethereum): 0x387ff39c66e71c454ce5844c188c1a87835d2263

USDT (tether@ETH): 0xa69cae5a1da5ff5fb226e4bc87fe5d0f8c45908a

MANA (decentraland): 0xa69cae5a1da5ff5fb226e4bc87fe5d0f8c45908a

XMR (monero): 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRxBb8sEWJB1SCCuUEa