Skip to main content

Certificate Management

The Certificate Management section allows you to manage the digital certificates used by Access Server for secure communication between the web interfaces, VPN server, and VPN clients.

This section is organized into three tabs:

  1. Web Server Certificate

  2. VPN Server Certificate Authority

  3. VPN Client Certificates

🔐 Web Server Certificate

This tab shows the current TLS certificate used to secure both the Admin and Client Web UIs. You can upload your own signed certificate to replace the automatically generated default.

  • Use your own certificate: Click to provide your own signed certificate and associated files. Drag and drop or click to upload each file. You'll be able to upload (in .pem format):

    • Private key

    • Web certificate

    • CA bundle

    Important

    Uploaded certificates are used for HTTPS access to both web interfaces. Ensure your certificate covers the public hostname clients will use to connect.

🏢 VPN Server Certificate Authority

This tab displays the list of Certificate Authorities (CAs) used by the VPN server to issue client certificates.

  • Certificate Authority table: Each CA entry includes:

    • Common Name

    • Algorithm (e.g., rsa2048, secp256k1, secp384rl)

    • Expires

    • User Profiles (number of connection profiles signed by this CA)

    • Delete button

      Warning

      Deleting a CA will invalidate all connection profiles signed by it.

  • Add a New CA: Click New CA Certificate to create a new Certificate Authority.

    1. Enter a Common name for the CA.

    2. Choose a Signing algorithm.

    3. Click Add new CA and Restart.

      Note

      The server will briefly restart to apply the new CA.

By default, Access Server generates a certificate authority (CA) from which server certificates and client certificates are generated with a 10-year lifetime, although this is adjustable. For a VPN connection to succeed, both the client certificate and the CA it uses to verify against must be valid. To ensure this remains the case, if Access Server starts up and detects the current CA is older than one year, it generates a new CA and uses that for creating new client certificates. This ensures that any newly generated user profiles with their associated certificates are valid for at least 9 years.

👤 VPN Client Certificates

This tab shows all VPN client certificates issued by your server. These are used to authenticate individual users during VPN connection attempts.

  • Client Certificate table: You can sort, filter, and manage certificates directly from this table. Each row includes:

    • Signing CA

    • Created (date)

    • Serial Number (SN)

    • Username

    • Last Used (date)

    • Allow auto-login (Yes/No)

    • tls-crypt v2 (Yes/No)

    • Expires

    • Comment

    • Delete button

  • New Connection Profile: Click to create a new VPN connection profile and certificate for a specific user.

  • New Token URL: Click to generate a time-limited link that allows the user to download a connection profile without signing in to the Client Web UI.

In this section: