Skip to main content

Tutorial: Recovering SSL Web Certificates from the Config DB

Abstract

How to retrieve SSL web certificates installed on an Access Server.

Overview

Occasionally, users may need to extract SSL web certificates from their Access Server, whether to reuse them elsewhere, back them up, or transfer them to a new installation. Since Access Server stores these files in SQLite3 format within its configuration database, retrieving them can be challenging. However, this guide provides steps to extract and store the SSL certificate data separately. Note that this guide is relevant only for those who have installed a commercial SSL certificate with private key and intermediary (CA) bundle files on their Access Server and need to recover them.

  • An installed Access Server.

  • An installed commercial SSL certificate with private key and intermediary (CA) bundle files.

  • Console access and the ability to get root access.

  1. Connect to your console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/
  3. Open your CA bundle:

    ./sacli configquery|grep cs.ca_bundle|cut -d '"' -f 4|sed 's/\\n/\n/g'
    • Optional: If you want to transfer the file, you can use WinSCP (Windows) or SCP:

      # This command saves the CA bundle to a file for later transfer
      ./sacli configquery|grep cs.ca_bundle|cut -d '"' -f 4|sed 's/\\n/\n/g' > cs.ca_bundle.cert
      # Transfer using SCP or WinSCP as needed.
      
  4. Copy the certificate by scrolling up, if necessaring, and selecting from BEGIN CERTIFICATE. Stop when you hit the last END CERTIFICATE.

  5. Paste the contents into a text editor and save the file as ca.pem.

  6. Open your private key:

    ./sacli configquery|grep cs.priv_key|cut -d '"' -f 4|sed 's/\\n/\n/g'
  7. Copy the key by scrolling up, if necessaring, and selecting from BEGIN RSA PRIVATE KEY. Stop when you hit the last END RSA PRIVATE KEY.

  8. Paste the contents into a text editor and save the file as server.key.

  9. Open your server certificate file:

    ./sacli configquery |grep cs.cert|cut -d '"' -f 4|sed 's/\\n/\n/g'
  10. Copy the certificate by scrolling up, if necessaring, and selecting from BEGIN CERTIFICATE. Stop when you hit the last END CERTIFICATE.

  11. Paste the contents into a text editor and save the file as server.crt.

    • You now have a backup of the files originally submitted to Access Server and installed.