Jump to content

OpenVPN:Certificate Management

From jb-vpn.uk Wiki
Revision as of 13:28, 1 January 2026 by Josh (talk | contribs) (Minor update - troubleshooting guide: OpenVPN Certificate Management (10 sections))

OpenVPN Certificate Management

This document describes certificate management for OpenVPN.

Certificate Authority

The server uses Easy-RSA 3 for certificate management. The Easy-RSA directory is located at /etc/openvpn/server/easy-rsa/.

Easy-RSA Commands Reference

Common Easy-RSA commands: 

cd /etc/openvpn/server/easy-rsa/

= Build a new CA (only needed once) =
./easyrsa build-ca

= Generate Diffie-Hellman parameters (only needed once) =
./easyrsa gen-dh

= Build server certificate (already done) =
./easyrsa build-server-full server nopass

= Build client certificate =
./easyrsa build-client-full clientname nopass

= Revoke a certificate =
./easyrsa revoke clientname

= Generate/update CRL =
./easyrsa gen-crl

= Show certificate details =
./easyrsa show-cert clientname

= List all certificates =
ls -la pki/issued/

Viewing All Certificates

To list all issued certificates: 

cd /etc/openvpn/server/easy-rsa/
./easyrsa show-cert clientname

To list all certificates in the PKI: 

ls -la /etc/openvpn/server/easy-rsa/pki/issued/

Checking Certificate Expiration

To check when a certificate expires: 

cd /etc/openvpn/server/easy-rsa/

= View certificate details =
openssl x509 -in pki/issued/clientname.crt -noout -dates

= Or use Easy-RSA =
./easyrsa show-cert clientname | grep -i "not after"

Renewing an Expired Certificate

If a certificate is about to expire or has expired:

Revoke the old certificate (if expired):

   cd /etc/openvpn/server/easy-rsa/
   ./easyrsa revoke clientname
   ./easyrsa gen-crl
   cp pki/crl.pem /etc/openvpn/server/crl.pem

Generate a new certificate:

   ./easyrsa build-client-full clientname nopass

Update the .ovpn file with the new certificate:

   # Extract new certificate
   cat pki/issued/clientname.crt
   
   # Update the <cert> section in the .ovpn file
   nano /root/clientname.ovpn

Distribute the updated .ovpn file to the client

Restart OpenVPN:

   systemctl restart openvpn

Certificate Revocation

See [user-management.md#revoking-a-user-certificate User Management] for details on revoking certificates.

Backup and Recovery

Backup Important Files

= Backup server configuration and certificates =
tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \
  /etc/openvpn/server/ \
  /etc/openvpn/ccd/ \
  /root/''.ovpn

Restore from Backup

Extract backup:

   tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C /

Verify file permissions:

   chmod 600 /etc/openvpn/server/''.key
   chmod 644 /etc/openvpn/server/*.crt

Restart OpenVPN:

   systemctl restart openvpn
  • [User Management](user-management.md) - Managing users and certificates
  • [Server Configuration](server-configuration.md) - Server setup
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:Certificate_Management&oldid=209"