Why's My VPN Certificate Valid for 10 Years?

Question: Why are VPN certificates valid for 10 years?

Answer:

You can find in-depth information here: CA Certificate Management.

Access Server generates a unique server Certificate Authority (CA) and private/public key pair for each installation. These keys verify the identity of both the VPN server and clients, ensuring secure connections. Each VPN user account receives its own private key and public certificate.

Unlike web server certificates, which often have shorter lifespans (e.g., 2 years or even 3 months) and rely on public methods like DNS records for identity verification, VPN certificates are different. VPN clients don't have public information for certificate renewal, and Access Server establishes trust through certificates and credentials.

A 10-year validity period for VPN certificates minimizes the need for frequent re-provisioning, especially for systems that require uninterrupted connectivity, like servers or hardware devices. This long lifespan ensures stable, ongoing connections without the hassle of regularly replacing certificates.

Additionally, VPN certificates can still be revoked if needed. Administrators can revoke client certificates from the Admin Web UI, maintaining security if a device is lost or compromised.

It's important to note that OpenVPN Access Server uses certificates for both its web services and internal VPN connections. The VPN certificates' default validity is 10 years, but administrators can customize this duration if desired when setting up a new server.