Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
jb-vpn.uk Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
OpenVPN:Certificate Management
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
This document describes certificate management for OpenVPN. == Certificate Authority == The server uses Easy-RSA 3 for certificate management. The Easy-RSA directory is located at <code>/etc/openvpn/server/easy-rsa/</code>. == Easy-RSA Commands Reference == Common Easy-RSA commands: <pre class="lang-bash"> cd /etc/openvpn/server/easy-rsa/ === Build a new CA (only needed once) === ./easyrsa build-ca == Generate Diffie-Hellman parameters (only needed once) == ./easyrsa gen-dh == Build server certificate (already done) == ./easyrsa build-server-full server nopass == Build client certificate == ./easyrsa build-client-full clientname nopass == Revoke a certificate == ./easyrsa revoke clientname == Generate/update CRL == ./easyrsa gen-crl == Show certificate details == ./easyrsa show-cert clientname == List all certificates == ls -la pki/issued/ </pre> == Viewing All Certificates == To list all issued certificates: <pre class="lang-bash"> cd /etc/openvpn/server/easy-rsa/ ./easyrsa show-cert clientname </pre> To list all certificates in the PKI: <pre class="lang-bash"> ls -la /etc/openvpn/server/easy-rsa/pki/issued/ </pre> == Checking Certificate Expiration == To check when a certificate expires: <pre class="lang-bash"> cd /etc/openvpn/server/easy-rsa/ === View certificate details === openssl x509 -in pki/issued/clientname.crt -noout -dates == Or use Easy-RSA == ./easyrsa show-cert clientname | grep -i "not after" </pre> == Renewing an Expired Certificate == If a certificate is about to expire or has expired: === '''Revoke the old certificate''' (if expired): === <pre class="lang-bash"> cd /etc/openvpn/server/easy-rsa/ ./easyrsa revoke clientname ./easyrsa gen-crl cp pki/crl.pem /etc/openvpn/server/crl.pem </pre> == '''Generate a new certificate''': == <pre class="lang-bash"> ./easyrsa build-client-full clientname nopass </pre> == '''Update the .ovpn file''' with the new certificate: == <pre class="lang-bash"> === Extract new certificate === cat pki/issued/clientname.crt === Update the <cert> section in the .ovpn file === nano /root/clientname.ovpn </pre> == '''Distribute the updated .ovpn file''' to the client == == '''Restart OpenVPN''': == <pre class="lang-bash"> systemctl restart openvpn </pre> == Certificate Revocation == See [user-management.md#revoking-a-user-certificate User Management] for details on revoking certificates. == Backup and Recovery == === Backup Important Files === <pre class="lang-bash"> ==== Backup server configuration and certificates ==== tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \ /etc/openvpn/server/ \ /etc/openvpn/ccd/ \ /root/''.ovpn </pre> === Restore from Backup === ==== Extract backup: ==== <pre class="lang-bash"> tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C / </pre> == Verify file permissions: == <pre class="lang-bash"> chmod 600 /etc/openvpn/server/''.key chmod 644 /etc/openvpn/server/*.crt </pre> == Restart OpenVPN: == <pre class="lang-bash"> systemctl restart openvpn </pre> == Related Documentation == * [User Management](user-management.md) - Managing users and certificates * [Server Configuration](server-configuration.md) - Server setup * [[Documentation:Index|Troubleshooting]] - Certificate troubleshooting [[Category:Documentation]] [[Category:Documentation/OpenVPN]]
Summary:
Please note that all contributions to jb-vpn.uk Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Jb-vpn.uk Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
OpenVPN:Certificate Management
Add topic
