Configuration: CA Management

About the page

The Configuration: CA Management page enables you to view the certificate authority (CA) certificates for your Access Server as well as create new ones.

Access Server 2.9 and newer lets you view the details of the current and past CA certificates and, if desired, issue a new one.

Managing CA certificates

Access Server 2.9 and newer provides a CA Management section in the Admin Web UI where you can view your current CA certificates and generate new ones. Access Server manages and issues these certificates — clients that connect with an older certificate continue to connect as long as the public and private keys of the certificates on your Access Server match.

Certificate lifetime cycle

By default, Access Server generates a certificate authority (CA) from which server certificates and client certificates are generated with a 10-year lifetime, although this is adjustable. For a VPN connection to succeed, both the client certificate and the CA it uses to verify against must be valid. To ensure this remains the case, if Access Server starts up and detects the current CA is older than one year, it generates a new CA and uses that for creating new client certificates. This ensures that any newly generated user profiles with their associated certificates are valid for at least 9 years.

CA overview

The CA Management tab displays all of the CAs on your Access Server with these details:

  • Type: Whether it’s the current or a previous CA. There must always be one current CA.
  • Certificate CN: The name of the certificate. The CA issued when you launch your Access Server is named “OpenVPN CA”. When you create new CAs, you can define their names.
  • Algorithm: The signing algorithm for the keys.
  • Expires: The time remaining until each CA expires.
  • User Profiles: The number of profiles associated with each CA.
  • Actions: Click View Profiles to view the profiles for the selected CA in the User Profile section of the Admin Web UI. Click Delete to delete the CA and any associated user profiles.

Create a new CA

Create a new CA by clicking Create New CA. You can then enter a Common Name (CN) and choose a signing algorithm. We recommend secp384rl for your algorithm and provide some inline information to help you with your key-signing choices. When you create a new CA, this forces a service-level Access Server restart. After the restart completes, sign in to the Admin Web UI again.

Summary

The Configuration: CA Management page enables you to create new CAs and displays existing CAs for your Access Server.