Tutorial: Install a Signed SSL Certificate from the Command-line Interface
Follow this tutorial to install a signed SSL certificate using the command line.
Overview
Access Server’s web services secure the connection between the web browser and server using an SSL certificate. When you install Access Server, it generates a self-signed certificate. Because of this self-signed certificate, the first time you sign in to the Admin Web UI or Client UI, you must click through a warning in your browser. This is expected. We recommend replacing the self-signed certificate with your own signed certificate so you don’t have to bypass the warning message continually.
This tutorial uses the command-line interface. To use the Admin Web UI, follow this tutorial:
This is the process for installing a signed SSL certificate for a fully qualified domain name (FQDN) for accessing your web services — the Admin Web UI and Client UI — in a web browser:
Assign an FQDN to Access Server.
Set the required DNS record.
Generate a private key.
Use the key to create a certificate signing request (CSR).
Send the CSR to a trusted party to validate and sign.
Install the signed certificate, private key, and intermediary file.
This tutorial shows you how to complete the sixth step in the above process: installing the SSL files using the CLI.
Tip
You can do the first five steps with your website host and certificate authorities.
An installed Access Server.
Console access and the ability to get root access.
An Access Server hostname.
A signed certificate, private key, and intermediary bundle.
Save your signed certificate, private key, and intermediary bundle files to a location on your server. Our example uses the directory /etc/webcerts/vpn.yourdomain.com/.
You could do this with a file transfer app or the
wgetcommand.
Important
Ensure the certificates are formatted as PEM files. Access Server doesn’t accept .p12 or .pfx formatted certificates. You can convert files from .pfx to PEM type with the DigiCert Certificate Utility for Windows.
Connect to the console and get root privileges.
Switch to the Access Server scripts directory:
cd /usr/local/openvpn_as/scripts/
Run the commands below to store the files in the configuration database:
Store the private key file in the configuration database:
./sacli --key "cs.priv_key" --value_file "/etc/webcerts/vpn.yourdomain.com/privatekey.pem" ConfigPut
Store the certificate file in the configuration database:
./sacli --key "cs.cert" --value_file "/etc/webcerts/vpn.yourdomain.com/crt.pem" ConfigPut
Store the CA bundle file in the configuration database:
./sacli --key "cs.ca_bundle" --value_file "/etc/webcerts/vpn.yourdomain.com/intermediary_bundle.pem" ConfigPut
Prior to restarting the webserver to begin using the new certificates, you can validate the files using the following command:
./sacli --ca_bundle=/etc/webcerts/vpn.yourdomain.com/intermediary_bundle.pem --cert=/etc/webcerts/vpn.yourdomain.com/crt.pem --priv_key=/etc/webcerts/vpn.yourdomain.com/privatekey.pem TestWebCerts
The output should display information about SSL certificates with their values, not errors or warnings.
Once the private key, certificate, and intermediary bundle files are all set, restart the Access Server web service and begin using the new certificates:
./sacli start
To verify that you correctly installed the web SSL certificates, we recommend using online tools such as the DigiCert SSL Installation Diagnostics Tool or Qualys SSL Labs SSL Server Test. We recommend additional security steps, including adjusting the TLS settings and web server cipher suite string.
To read more about how OpenVPN Access Server manages the self-signed certificate:
Note
SSL certificates are not related to VPN certificates, as they are separate and managed differently. Alterations to SSL certificates don’t affect VPN certificates.
Multiple intermediary files
What if you have additional files? In many cases, you receive more files that provide the links in the chain of trust between your signed certificate and the root authority known in your web browser as a trusted party. If you’ve received more than one intermediate file:
Create a new text file.
Paste one after the other into the new file.
Save it and import it.
Fall back to self-signed certificates
If you have a reason to remove the SSL files and use Access Server's self-signed certificates instead, you can run the commands below.
Remove the keys and fall back to the self-signed certificates in the web-ssl directory:
cd /usr/local/openvpn_as/scripts/ ./sacli --key "cs.priv_key" ConfigDel ./sacli --key "cs.cert" ConfigDel ./sacli --key "cs.ca_bundle" ConfigDel ./sacli start
Self-signed certificate location
Access Server saves the self-signed certificates in a directory on the server: /usr/local/openvpn_as/etc/web-ssl/. It uses the following command to generate the initial, self-signed certificates:
./certool -d ../etc/web-ssl --type ca --unique --cn "OpenVPN Web CA" ./certool -d ../etc/web-ssl --type server --remove_csr --sn_off
The files in the web-ssl folder should be considered part of a fall-back solution in case of an issue with certificates loaded in the configuration database. We don't recommend replacing the files in this directory with your private key, certificate, and intermediary bundle files.
If you did replace the self-signed certificates in the web-ssl folder, you should import the files to the configuration database key values instead:
Convert /usr/local/openvpn_as/etc/web-ssl files to configuration database key values:
cd /usr/local/openvpn_as/scripts/ ./sacli --import GetActiveWebCerts