Skip to main content

Tutorial: How to Manually Regenerate Self-signed Certificates

Abstract

This tutorial allows you to regenerate the self-signed certificates Access Server uses for its web services.

Overview

When Access Server isn’t provided with SSL web certificates, it uses its self-signed certificates and regenerates those when certain conditions are met. If these files have been tampered with, resetting them with the instructions found here is possible. This is to meet today’s stricter security requirements for self-signed certificates. EKU is one of those requirements, and since older versions of Access Server generated self-signed certificates without EKU, they are regenerated when you upgrade to Access Server 2.9 and newer.

If all of the below conditions are met, the Access Server enables its internal logic for self-signed certificate management:

  • These configuration keys—cs.cert, cs.priv_key, cs.ca_bundle, and cs.ca_key—do not store certificates and keys in-line.

  • The file /usr/local/openvpn_as/etc/web-ssl/ca.crt has a CN that contains: “OpenVPN Web CA”.

  • The file /usr/local/openvpn_as/etc/web-ssl/ca.key exists.

In addition to the above, if any of the triggers below match, Access Server regenerates the certificates:

  • The certificate expiration date is less than 180 days away.

  • The certificate does not contain EKU parameters.

  • The certificate CN does not match the hostname configured in Access Server.

To install valid SSL web certificates and replace the self-signed certificates, refer to this tutorial:

Prerequisites

  • Access Server 2.9 and newer.

  • Console access and the ability to get root access.

Step 1: Regenerate self-signed certificates

Caution

Running these commands overwrites any existing, self-signed certificates.

We recommend creating a backup before you continue.

  1. Connect to the console and get root privileges.

  2. Run these commands to regenerate self-signed certificates (and overwrite existing ones):

    cd /usr/local/openvpn_as/scripts/
./certool -d /usr/local/openvpn_as/etc/web-ssl --type ca --unique --cn "OpenVPN Web CA"
./certool -d /usr/local/openvpn_as/etc/web-ssl --type server --remove_csr --sn_off --serial 1 --name server --cn vpn.example.com
./sacli start

  3. Remove web certificates and keys from the configuration:

    cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.cert" ConfigDel
./sacli --key "cs.priv_key" ConfigDel
./sacli --key "cs.ca_bundle" ConfigDel
./sacli --key "cs.ca_key" ConfigDel
./sacli start
In this section:
See also: