Revision as of 13:28, 1 January 2026

OpenVPN Certificate Management

This document describes certificate management for OpenVPN.

Certificate Authority

The server uses Easy-RSA 3 for certificate management. The Easy-RSA directory is located at /etc/openvpn/server/easy-rsa/.

Easy-RSA Commands Reference

Common Easy-RSA commands:

cd /etc/openvpn/server/easy-rsa/

= Build a new CA (only needed once) =
./easyrsa build-ca

= Generate Diffie-Hellman parameters (only needed once) =
./easyrsa gen-dh

= Build server certificate (already done) =
./easyrsa build-server-full server nopass

= Build client certificate =
./easyrsa build-client-full clientname nopass

= Revoke a certificate =
./easyrsa revoke clientname

= Generate/update CRL =
./easyrsa gen-crl

= Show certificate details =
./easyrsa show-cert clientname

= List all certificates =
ls -la pki/issued/

Viewing All Certificates

To list all issued certificates:

cd /etc/openvpn/server/easy-rsa/
./easyrsa show-cert clientname

To list all certificates in the PKI:

ls -la /etc/openvpn/server/easy-rsa/pki/issued/

Checking Certificate Expiration

To check when a certificate expires:

cd /etc/openvpn/server/easy-rsa/

= View certificate details =
openssl x509 -in pki/issued/clientname.crt -noout -dates

= Or use Easy-RSA =
./easyrsa show-cert clientname | grep -i "not after"

Renewing an Expired Certificate

If a certificate is about to expire or has expired:

Revoke the old certificate (if expired):

   cd /etc/openvpn/server/easy-rsa/
   ./easyrsa revoke clientname
   ./easyrsa gen-crl
   cp pki/crl.pem /etc/openvpn/server/crl.pem

Generate a new certificate:

   ./easyrsa build-client-full clientname nopass

Update the .ovpn file with the new certificate:

   # Extract new certificate
   cat pki/issued/clientname.crt
   
   # Update the <cert> section in the .ovpn file
   nano /root/clientname.ovpn

Distribute the updated .ovpn file to the client

Restart OpenVPN:

   systemctl restart openvpn

Certificate Revocation

See [user-management.md#revoking-a-user-certificate User Management] for details on revoking certificates.

Backup and Recovery

Backup Important Files

= Backup server configuration and certificates =
tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \
  /etc/openvpn/server/ \
  /etc/openvpn/ccd/ \
  /root/''.ovpn

Restore from Backup

Extract backup:

   tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C /

Verify file permissions:

   chmod 600 /etc/openvpn/server/''.key
   chmod 644 /etc/openvpn/server/*.crt

Restart OpenVPN:

   systemctl restart openvpn

@@ Line 127: / Line 127: @@
     <pre class="lang-bash">
     chmod 600 /etc/openvpn/server/''.key
-    chmod 644 /etc/openvpn/server/''.crt
+    chmod 644 /etc/openvpn/server/*.crt
 </pre>
@@ Line 137: / Line 137: @@
 == Related Documentation ==
-'' [User Management](user-management.md) - Managing users and certificates
+* [User Management](user-management.md) - Managing users and certificates
-'' [Server Configuration](server-configuration.md) - Server setup
-'' [[Documentation:Index|Troubleshooting]] - Certificate troubleshooting
+* [Server Configuration](server-configuration.md) - Server setup
+* [[Documentation:Index|Troubleshooting]] - Certificate troubleshooting
 [[Category:Documentation]]
 [[Category:Documentation/OpenVPN]]