Skip to main content

Tutorial: How to Replace 1024-bit VPN Certificates for Access Server

Abstract

This tutorial will help you replace outdated 1024-bit certificates with more secure ones, ensuring long-term compatibility and security for your VPN clients.

Overview

This tutorial explains how to replace insecure 1024-bit VPN certificates with stronger ones for Access Server. With Access Server versions 2.9.2 and newer, you may encounter a warning message about legacy 1024-bit CA certificates, which are no longer considered secure. This guide will help you create a new CA certificate, migrate your VPN clients, and remove old certificates in a way that minimizes disruption to your users.

Prerequisites

  • An installed Access Server version 2.9.2 or newer.

  • Console access and get root privileges.

  • A server configuration backup.

  • Understanding that changes will temporarily disconnect VPN clients.

Step 1: Create a new CA certificate

  1. Sign in to your Admin Web UI.

  2. Click Configuration > CA Management.

  3. Select the Create New CA tab.

  4. Enter a common name.

  5. Select the signing algorithm (recommended: secp384r1).

  6. Click Create New CA.

    Caution

    This action forces a service restart, temporarily disconnecting VPN clients. After the restart, Access Server will accept clients using old and new certificates.

Step 2: Migrate VPN clients to the new CA

Notice

Most VPN clients will continue using their old certificates until new profiles are downloaded. Below are several ways users can migrate.

Option 1: Import a new profile in OpenVPN Connect

  1. Open OpenVPN Connect.

  2. Click the Add icon.

  3. Enter your Access Server's URL.

  4. Enter your username and password.

  5. Click Import.

Option 2: Download a profile from the Client Web UI

  1. Sign in to the Client Web UI (your server's IP or hostname without /admin).

  2. Download a connection (.ovpn) profile.

  3. Open OpenVPN Connect.

  4. Click Add icon, then File.

  5. Drag and drop the .ovpn profile or browse for it on your device.

Option 3: Download pre-configured OpenVPN Connect from the Client Web UI

  1. Sign in to the Client Web UI.

  2. Download OpenVPN Connect for your specific platform.

Step 3: Plan to delete the old CA and certificates

Notice

Once all users have migrated to new profiles, the warning message regarding the 1024-bit CA will disappear when the old CA is deleted. Before removing it, verify that all users have switched to the new CA.

  1. Sign in to the Admin Web UI.

  2. Click Configuration > CA Management.

  3. Locate the old CA and click View Profiles.

    • This takes you to the User Profiles page but only displays results for the specific CA certificate.

  4. Expand the username to check the Last Used dates to ensure users no longer use old profiles.

    • If all users have migrated, you can safely delete the old CA.

  5. Click Configuration > CA Management to return to the CA page.

  6. Click Delete next to the old CA.

  7. In the notification windows, check the box to delete this CA and all associated user profiles.

  8. Click Delete and then Update Running Server.

In this section: