Skip to main content

Tutorial: How to Replace 1024-bit VPN Certificates for Access Server

Abstract

This tutorial will help you replace outdated 1024-bit certificates with more secure ones, ensuring long-term compatibility and security for your VPN clients.

Overview

This tutorial explains how to replace insecure 1024-bit VPN certificates with stronger ones for Access Server. You may encounter a warning message about legacy 1024-bit CA certificates, which are no longer considered secure. This guide will help you create a new CA certificate, migrate your VPN clients, and remove old certificates in a way that minimizes disruption to your users.

Prerequisites

  • An installed Access Server.

  • Console access and get root privileges.

  • A server configuration backup.

  • Understanding that changes will temporarily disconnect VPN clients.

Step 1: Create a new CA certificate

  1. Sign in to your Admin Web UI.

  2. Click Certificate Management.

    • The Web Server Certificate tab displays.

  3. Click the VPN Server Certificate Authority tab.

  4. Click New CA Certificate.

    • The New CA certificate modal displays.

  5. Enter a Common name (optional) and select the Signing algorithm.

  6. Click Add new CA and Restart.

    • After Access Server restarts, the new CA displays in the list of Certificate Authority certificates and is labeled the Current CA.

Step 2: Migrate VPN clients to the new CA

Notice

Most VPN clients will continue using their old certificates until new profiles are downloaded. Below are several options for users to migrate.

Option 1: Import a new profile in OpenVPN Connect

  1. Open OpenVPN Connect.

  2. Click the Add icon.

  3. Enter your Access Server's URL.

  4. Enter your username and password.

  5. Click Import.

Option 2: Download a profile from the Client Web UI

  1. Sign in to the Client Web UI (your server's IP or hostname without /admin).

  2. Download a connection profile.

  3. Open OpenVPN Connect.

  4. Click Add icon, then File.

  5. Drag and drop the .ovpn profile or browse for it on your device.

Option 3: Download pre-configured OpenVPN Connect from the Client Web UI

  1. Sign in to the Client Web UI.

  2. Download OpenVPN Connect for your specific platform.

Step 3: Plan to delete the old CA and certificates

Notice

Once all users have migrated to new profiles, the warning message regarding the 1024-bit CA will disappear when the old CA is deleted. Before removing it, verify that all users have switched to the new CA.

  1. Sign in to the Admin Web UI.

  2. Click Certificate Management.

    • The Web Server Certificate tab displays.

  3. Click the VPN Server Certificate Authority tab.

  4. Locate the old CA and click on its name.

  5. The VPN Client Certificates tab displays with the filter "Signing CA is [old CA name]". This displays profiles attached to the old CA.

  6. Review the Last Used dates to ensure users no longer use old profiles.

    • If all users have migrated, you can safely delete the old CA.

  7. Click the VPN Server Certificate Authority tab.

  8. Click the Delete icon for the old CA certificate.

  9. Review the actions taken to delete the certificate, accept, and then click Delete CA and restart.

    • Access Server restarts, and the old CA certificate is deleted.

In this section: