Configuration: CA Management
About the page
Configuration: CA Management enables you to view the certificate authority (CA) certificates for your Access Server as well as create new ones. A new feature that was introduced in version 2.9 lets you view the details of the current and past CA certificates and, if desired, issue a new one.
CA Management page:
Managing CA certificates
Access Server version 2.9 and newer provides a CA Management section in the Admin Web UI where you can view your current CA certificates and generate new ones. Access Server manages and issues these certificates—clients that connect with an older certificate will continue to connect as long as the public and private keys of the certificates on your Access Server match.
Certificate lifetime cycle
By default, Access Server generates a certificate authority (CA) from which server certificates and client certificates are generated with a 10-year lifetime, although this is adjustable. For a VPN connection to succeed, both the client certificate and the CA it uses to verify against must be valid. To ensure this remains the case, if Access Server starts up and detects the current CA is older than one year, it will generate a new CA and start using that for creating new client certificates. This ensures that any newly generated user profiles with their associated certificates are valid for at least 9 years.
The CA Management tab displays all of the CAs on your Access Server with these details:
- Type: Whether it’s the current or a previous CA. There must always be one current CA.
- Certificate CN: The name of the certificate. The CA issued when you launch your Access Server is named “OpenVPN CA”. When you create new CAs, you can define their names.
- Algorithm: The signing algorithm for the keys.
- Expires: The time remaining until each CA expires.
- User Profiles: The number of profiles associated with each CA.
- Actions: Click View Profiles to view the profiles for the selected CA in the User Profile section of the Admin Web UI. Click Delete to delete the CA and any associated user profiles.
Create a new CA
You can create a new CA by clicking on the Create New CA tab. Enter a Common Name (CN) and choose a signing algorithm — we’ve provided some inline information to help you with your key signing choices. Click Create New CA. Note that this action forces a service-level Access Server restart. After the restart completes you’ll need to sign in to the Admin Web UI again.
Configuration: CA Management enables you to create new CAs and displays existing CAs for your Access Server. For further technical details, refer to CA Certificate Management.