OpenVPN:Certificate Management: Difference between revisions
Minor update - troubleshooting guide: OpenVPN Certificate Management (10 sections) |
Major update - troubleshooting guide: OpenVPN Certificate Management (31 sections) |
||
| Line 1: | Line 1: | ||
This document describes certificate management for OpenVPN. | This document describes certificate management for OpenVPN. | ||
| Line 14: | Line 12: | ||
cd /etc/openvpn/server/easy-rsa/ | cd /etc/openvpn/server/easy-rsa/ | ||
= Build a new CA (only needed once) = | === Build a new CA (only needed once) === | ||
./easyrsa build-ca | ./easyrsa build-ca | ||
= Generate Diffie-Hellman parameters (only needed once) = | == Generate Diffie-Hellman parameters (only needed once) == | ||
./easyrsa gen-dh | ./easyrsa gen-dh | ||
= Build server certificate (already done) = | == Build server certificate (already done) == | ||
./easyrsa build-server-full server nopass | ./easyrsa build-server-full server nopass | ||
= Build client certificate = | == Build client certificate == | ||
./easyrsa build-client-full clientname nopass | ./easyrsa build-client-full clientname nopass | ||
= Revoke a certificate = | == Revoke a certificate == | ||
./easyrsa revoke clientname | ./easyrsa revoke clientname | ||
= Generate/update CRL = | == Generate/update CRL == | ||
./easyrsa gen-crl | ./easyrsa gen-crl | ||
= Show certificate details = | == Show certificate details == | ||
./easyrsa show-cert clientname | ./easyrsa show-cert clientname | ||
= List all certificates = | == List all certificates == | ||
ls -la pki/issued/ | ls -la pki/issued/ | ||
</pre> | </pre> | ||
| Line 61: | Line 59: | ||
cd /etc/openvpn/server/easy-rsa/ | cd /etc/openvpn/server/easy-rsa/ | ||
= View certificate details = | === View certificate details === | ||
openssl x509 -in pki/issued/clientname.crt -noout -dates | openssl x509 -in pki/issued/clientname.crt -noout -dates | ||
= Or use Easy-RSA = | == Or use Easy-RSA == | ||
./easyrsa show-cert clientname | grep -i "not after" | ./easyrsa show-cert clientname | grep -i "not after" | ||
</pre> | </pre> | ||
| Line 72: | Line 70: | ||
If a certificate is about to expire or has expired: | If a certificate is about to expire or has expired: | ||
= '''Revoke the old certificate''' (if expired): = | === '''Revoke the old certificate''' (if expired): === | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
cd /etc/openvpn/server/easy-rsa/ | cd /etc/openvpn/server/easy-rsa/ | ||
| Line 80: | Line 78: | ||
</pre> | </pre> | ||
= '''Generate a new certificate''': = | == '''Generate a new certificate''': == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
./easyrsa build-client-full clientname nopass | ./easyrsa build-client-full clientname nopass | ||
</pre> | </pre> | ||
= '''Update the .ovpn file''' with the new certificate: = | == '''Update the .ovpn file''' with the new certificate: == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
=== Extract new certificate === | |||
cat pki/issued/clientname.crt | cat pki/issued/clientname.crt | ||
=== Update the <cert> section in the .ovpn file === | |||
nano /root/clientname.ovpn | nano /root/clientname.ovpn | ||
</pre> | </pre> | ||
= '''Distribute the updated .ovpn file''' to the client = | == '''Distribute the updated .ovpn file''' to the client == | ||
= '''Restart OpenVPN''': = | == '''Restart OpenVPN''': == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
systemctl restart openvpn | systemctl restart openvpn | ||
| Line 110: | Line 108: | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
= Backup server configuration and certificates = | ==== Backup server configuration and certificates ==== | ||
tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \ | tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \ | ||
/etc/openvpn/server/ \ | /etc/openvpn/server/ \ | ||
| Line 119: | Line 117: | ||
=== Restore from Backup === | === Restore from Backup === | ||
= Extract backup: = | ==== Extract backup: ==== | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C / | tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C / | ||
</pre> | </pre> | ||
= Verify file permissions: = | == Verify file permissions: == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
chmod 600 /etc/openvpn/server/''.key | chmod 600 /etc/openvpn/server/''.key | ||
| Line 130: | Line 128: | ||
</pre> | </pre> | ||
= Restart OpenVPN: = | == Restart OpenVPN: == | ||
<pre class="lang-bash"> | <pre class="lang-bash"> | ||
systemctl restart openvpn | systemctl restart openvpn | ||
Latest revision as of 13:44, 1 January 2026
This document describes certificate management for OpenVPN.
Certificate Authority
[edit]The server uses Easy-RSA 3 for certificate management. The Easy-RSA directory is located at /etc/openvpn/server/easy-rsa/.
Easy-RSA Commands Reference
[edit]Common Easy-RSA commands:
cd /etc/openvpn/server/easy-rsa/ === Build a new CA (only needed once) === ./easyrsa build-ca == Generate Diffie-Hellman parameters (only needed once) == ./easyrsa gen-dh == Build server certificate (already done) == ./easyrsa build-server-full server nopass == Build client certificate == ./easyrsa build-client-full clientname nopass == Revoke a certificate == ./easyrsa revoke clientname == Generate/update CRL == ./easyrsa gen-crl == Show certificate details == ./easyrsa show-cert clientname == List all certificates == ls -la pki/issued/
Viewing All Certificates
[edit]To list all issued certificates:
cd /etc/openvpn/server/easy-rsa/ ./easyrsa show-cert clientname
To list all certificates in the PKI:
ls -la /etc/openvpn/server/easy-rsa/pki/issued/
Checking Certificate Expiration
[edit]To check when a certificate expires:
cd /etc/openvpn/server/easy-rsa/ === View certificate details === openssl x509 -in pki/issued/clientname.crt -noout -dates == Or use Easy-RSA == ./easyrsa show-cert clientname | grep -i "not after"
Renewing an Expired Certificate
[edit]If a certificate is about to expire or has expired:
Revoke the old certificate (if expired):
[edit]cd /etc/openvpn/server/easy-rsa/ ./easyrsa revoke clientname ./easyrsa gen-crl cp pki/crl.pem /etc/openvpn/server/crl.pem
Generate a new certificate:
[edit]./easyrsa build-client-full clientname nopass
Update the .ovpn file with the new certificate:
[edit]=== Extract new certificate === cat pki/issued/clientname.crt === Update the <cert> section in the .ovpn file === nano /root/clientname.ovpn
Distribute the updated .ovpn file to the client
[edit]Restart OpenVPN:
[edit]systemctl restart openvpn
Certificate Revocation
[edit]See [user-management.md#revoking-a-user-certificate User Management] for details on revoking certificates.
Backup and Recovery
[edit]Backup Important Files
[edit]==== Backup server configuration and certificates ==== tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \ /etc/openvpn/server/ \ /etc/openvpn/ccd/ \ /root/''.ovpn
Restore from Backup
[edit]Extract backup:
[edit]tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C /
Verify file permissions:
[edit]chmod 600 /etc/openvpn/server/''.key chmod 644 /etc/openvpn/server/*.crt
Restart OpenVPN:
[edit]systemctl restart openvpn
Related Documentation
[edit]- [User Management](user-management.md) - Managing users and certificates
- [Server Configuration](server-configuration.md) - Server setup
- Troubleshooting - Certificate troubleshooting