Server certificates
CA certificate
In case that CA certificate (lets name it ca.crt) gets expired, clients can't connect to the OpenVPN server anymore. You need to generate new CA certificate signed with the same key (usually named ca.key) as the old one to avoid the need to regenerate all client certificates also.
Use following command to do so:
openssl x509 -in ca.crt -days 36500 -out ca.crt.new -signkey ca.key
- 36500days = 100years = validity of the new ca.crt
- rename ca.crt to ca.crt.old
- rename ca.crt.new to ca.crt
- restart / reload OpenVPN
- distribute new ca.crt to all clients
- check server certificate - it usually expires also, because both are generated during OpenVPN installation and usually have the same validity
Server certificate
In case that server certificate gets expired, simply generate new one using easy-rsa scripts:
. vars
./buid-key-server server
- reload / restart OpenVPN after that
Client certificate(s)
When client certificate gets expired, you can generate new one using previous .csr file this way:
. vars
./sign-req <certificate-name>
- send the new .crt file to the client
- client's .key file is not changed => same password, we don't need to know it to generate new .crt
Like my blog? Want to buy me coffee or beer?
LTC (litecoin): LeWzkcV2ArRv7Bi7TmrTpwkp6j2CZSLwfY
BTC (bitcoin): 1LzmUcwHK5Ys4zGPRoxYodjzpJsWiG61JY
DOGE (dogecoin): DQmS6EdDXssriDgSBpQMxYicHTiji6kMhx
ETH (ethereum): 0x387ff39c66e71c454ce5844c188c1a87835d2263
USDT (tether@ETH): 0xa69cae5a1da5ff5fb226e4bc87fe5d0f8c45908a
MANA (decentraland): 0xa69cae5a1da5ff5fb226e4bc87fe5d0f8c45908a
XMR (monero): 4JUdGzvrMFDWrUUwY3toJATSeNwjn54LkCnKBPRzDuhzi5vSepHfUckJNxRL2gjkNrSqtCoRUrEDAgRwsQvVCjZbRxBb8sEWJB1SCCuUEa
