Jump to content

OpenVPN:Certificate Management

From jb-vpn.uk Wiki
Revision as of 13:44, 1 January 2026 by Josh (talk | contribs) (Major update - troubleshooting guide: OpenVPN Certificate Management (31 sections))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This document describes certificate management for OpenVPN.

Certificate Authority

[edit]

The server uses Easy-RSA 3 for certificate management. The Easy-RSA directory is located at /etc/openvpn/server/easy-rsa/.

Easy-RSA Commands Reference

[edit]

Common Easy-RSA commands: 

cd /etc/openvpn/server/easy-rsa/

=== Build a new CA (only needed once) ===
./easyrsa build-ca

== Generate Diffie-Hellman parameters (only needed once) ==
./easyrsa gen-dh

== Build server certificate (already done) ==
./easyrsa build-server-full server nopass

== Build client certificate ==
./easyrsa build-client-full clientname nopass

== Revoke a certificate ==
./easyrsa revoke clientname

== Generate/update CRL ==
./easyrsa gen-crl

== Show certificate details ==
./easyrsa show-cert clientname

== List all certificates ==
ls -la pki/issued/

Viewing All Certificates

[edit]

To list all issued certificates: 

cd /etc/openvpn/server/easy-rsa/
./easyrsa show-cert clientname

To list all certificates in the PKI: 

ls -la /etc/openvpn/server/easy-rsa/pki/issued/

Checking Certificate Expiration

[edit]

To check when a certificate expires: 

cd /etc/openvpn/server/easy-rsa/

=== View certificate details ===
openssl x509 -in pki/issued/clientname.crt -noout -dates

== Or use Easy-RSA ==
./easyrsa show-cert clientname | grep -i "not after"

Renewing an Expired Certificate

[edit]

If a certificate is about to expire or has expired:

Revoke the old certificate (if expired):

[edit]
   cd /etc/openvpn/server/easy-rsa/
   ./easyrsa revoke clientname
   ./easyrsa gen-crl
   cp pki/crl.pem /etc/openvpn/server/crl.pem

Generate a new certificate:

[edit]
   ./easyrsa build-client-full clientname nopass

Update the .ovpn file with the new certificate:

[edit]
=== Extract new certificate ===
   cat pki/issued/clientname.crt
   
=== Update the <cert> section in the .ovpn file ===
   nano /root/clientname.ovpn

Distribute the updated .ovpn file to the client

[edit]

Restart OpenVPN:

[edit]
   systemctl restart openvpn

Certificate Revocation

[edit]

See [user-management.md#revoking-a-user-certificate User Management] for details on revoking certificates.

Backup and Recovery

[edit]

Backup Important Files

[edit]
==== Backup server configuration and certificates ====
tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz \
  /etc/openvpn/server/ \
  /etc/openvpn/ccd/ \
  /root/''.ovpn

Restore from Backup

[edit]

Extract backup:

[edit]
   tar -xzf openvpn-backup-YYYYMMDD.tar.gz -C /

Verify file permissions:

[edit]
   chmod 600 /etc/openvpn/server/''.key
   chmod 644 /etc/openvpn/server/*.crt

Restart OpenVPN:

[edit]
   systemctl restart openvpn
[edit]
  • [User Management](user-management.md) - Managing users and certificates
  • [Server Configuration](server-configuration.md) - Server setup
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=OpenVPN:Certificate_Management&oldid=239"