Tutorial: Advanced CA Certificate Management (CLI)
Commands for managing CA certificates with Access Server. The latest Access Server version supports multiple CA certificates for your VPN server.
Overview
Access Server supports multiple CA certificates. Refer to CA Certificate Management for details about managing these from the Admin Web UI. This tutorial details advanced configuration options using the command-line interface (CLI).
Tip
You can easily manage your CA certificates from the Admin Web UI on the CA Management page under configuration.
An installed Access Server.
Console access and the ability to get root access.
This table outlines the commands you can use with Access Server's sa tool for managing CA certificates from the CLI. The sections following present examples of using the commands and options.
Commands and options | Use |
|---|---|
SetPKIConfig | Set the PKI configuration settings. Use this command to set a specific value. |
ShowPKIConfig | Show the PKI configuration settings. Use this command to display your current PKI configuration settings. |
--ca_renew_after_days= | Set the number of days for renewing the CA certificate. On the latest Access Server versions, the default is 365 days. Automatic renewal occurs when the set number of days is reached. |
--client_certificate_lifetime= | Set the number of days until the client certificate expires. The default is 3650 days from the date of the server's CA certificate (ten years). |
--obfuscate_certs | Use client_{serial_number] instead of the real common name when Access Server generates a client certificate — set to true or false. The default is false. |
--random_serial_numbers= | Use this to choose whether Access Server assigns random serial numbers — set to true or false. The default is true as of Access Server 2.12.0. |
Access Server 2.12.0 introduced command-line support for the CA management. You can display the current public key infrastructure (PKI) configuration:
Connect to your Access Server's console and get root privileges.
Run this command:
/usr/local/openvpn_as/scripts/sa showpkiconfig
On a clean install of Access Server 2.12.0 and newer, this is the expected result:
Configuration key Value random_serial_numbers true client_certificate_lifetime 3650 ca_certificate_lifetime 3650 ca_renew_after_days 365 obfuscate_certs false
Access Server 2.12.0 introduced support for defining the CA renewal period. You can do this from your Access Server's command-line interface (CLI).
The default renewal period is set to 365 days. Access Server generates new CA and server certificates when it has been more than or equal to 365 days since the last certificate generation.
Change the renewal interval
Connect to your Access Server's console and get root privileges.
Run these commands:
/usr/local/openvpn_as/scripts/sa --ca_renew_after_days=[VALUE]1 setpkiconfig service openvpnas restart
Replace [VALUE] with your desired number of days.
Check the change with this command:
/usr/local/openvpn_as/scripts/sa showpkiconfig
Access Server now renews CA certificates after the defined days for the custom value pass.
Access Server 2.12.0 introduced support for defining the client certificate expiration date. You can do this from your Access Server's command-line interface (CLI).
The default expiration date is the same as the signing CA expiration date.
Set a specific certificate lifetime (such as one or two years):
Connect to your console and get root privileges.
Run these commands:
/usr/local/openvpn_as/scripts/sa --client_certificate_lifetime=[VALUE]1 setpkiconfig service openvpnas restart
Replace [VALUE] with your desired number of days.
Check the change with this command:
/usr/local/openvpn_as/scripts/sa showpkiconfig
When a user downloads a new profile, it's generated with the new certificate lifetime. You can view the new expiration date in the Admin Web UI from the User Profiles page.