Skip to main content

Tutorial: Install a Signed SSL Certificate from the Command-line Interface

Abstract

Follow this tutorial to install a signed SSL certificate using the command line.

Overview

Access Server’s web services secure the connection between the web browser and server using an SSL certificate. When you install Access Server, it generates a self-signed certificate. Because of this self-signed certificate, the first time you sign in to the Admin Web UI or Client UI, you must click through a warning in your browser. This is expected. We recommend replacing the self-signed certificate with your own signed certificate to avoid bypassing the warning message.

This tutorial uses the command-line interface. To use the Admin Web UI, follow this tutorial:

This is the process for installing a signed SSL certificate for a fully qualified domain name (FQDN) for accessing your web services — the Admin Web UI and Client UI — in a web browser:

  1. Assign an FQDN to Access Server.

  2. Set the required DNS record.

  3. Generate a private key.

  4. Use the key to create a certificate signing request (CSR).

  5. Send the CSR to a trusted party to validate and sign.

  6. Install the signed certificate, private key, and intermediary file.

This tutorial shows you how to complete the sixth step in the above process: installing the SSL files using the CLI.

Tip

You can do the first five steps with your website host and certificate authorities.

Prerequisites

  • An installed Access Server.

  • Console access and the ability to get root access.

  • An Access Server hostname.

  • A signed certificate, private key, and intermediary bundle.

Step 1: Save the certificate, key, and intermediary files to your server

  • Save your signed certificate, private key, and intermediary bundle files to a location on your server. Our example uses the directory /etc/webcerts/vpn.yourdomain.com/.

    • You could do this with a file transfer app or the wget command.

    Important

    Ensure the certificates are formatted as PEM files. Access Server doesn’t accept .p12 or .pfx formatted certificates. You can convert files from .pfx to PEM type with the DigiCert Certificate Utility for Windows.

Step 2: Store the files in the configuration database

  1. Connect to the console and get root privileges.

  2. Run the commands below to store the files in the configuration database:

    • Store the private key file in the configuration database:

      sacli --key "cs.priv_key" --value_file "/etc/webcerts/vpn.yourdomain.com/privatekey.pem" ConfigPut

    • Store the certificate file in the configuration database:

      sacli --key "cs.cert" --value_file "/etc/webcerts/vpn.yourdomain.com/crt.pem" ConfigPut

    • Store the CA bundle file in the configuration database:

      sacli --key "cs.ca_bundle" --value_file "/etc/webcerts/vpn.yourdomain.com/intermediary_bundle.pem" ConfigPut

Step 3: Test the certificates

  • Prior to restarting the web server to begin using the new certificates, you can validate the files using the following command:

    sacli --ca_bundle=/etc/webcerts/vpn.yourdomain.com/intermediary_bundle.pem --cert=/etc/webcerts/vpn.yourdomain.com/crt.pem --priv_key=/etc/webcerts/vpn.yourdomain.com/privatekey.pem TestWebCerts

    • The output should display information about SSL certificates with their values, not errors or warnings.

Step 4: Restart the Access Server web service

  • Once the private key, certificate, and intermediary bundle files are all set, restart the Access Server web service and begin using the new certificates:

    sacli start

Step 5: Verify the web certificates

To verify that you correctly installed the web SSL certificates, we recommend using online tools such as the DigiCert SSL Installation Diagnostics Tool or Qualys SSL Labs SSL Server Test. We recommend additional security steps, including adjusting the TLS settings and web server cipher suite string.

To read more about how Access Server manages the self-signed certificate:

Note

SSL certificates are not related to VPN certificates, as they are separate and managed differently. Alterations to SSL certificates don’t affect VPN certificates.

Additional tips

Multiple intermediary files

What if you have additional files? In many cases, you receive more files that provide the links in the chain of trust between your signed certificate and the root authority known in your web browser as a trusted party. If you’ve received more than one intermediate file:

  1. Create a new text file.

  2. Paste one after the other into the new file.

  3. Save it and import it.

Fall back to self-signed certificates

If you need to remove the SSL files and use Access Server's self-signed certificates instead, you can run the commands below.

  • Remove the keys and fall back to the self-signed certificates in the web-ssl directory:

    sacli --key "cs.priv_key" ConfigDel
sacli --key "cs.cert" ConfigDel
sacli --key "cs.ca_bundle" ConfigDel
sacli start

Self-signed certificate location

Access Server saves the self-signed certificates in a directory on the server: /usr/local/openvpn_as/etc/web-ssl/. It uses the following command to generate the initial, self-signed certificates:

./certool -d ../etc/web-ssl --type ca --unique --cn "OpenVPN Web CA"
./certool -d ../etc/web-ssl --type server --remove_csr --sn_off

The files in the web-ssl folder should be considered part of a fall-back solution in case of an issue with certificates loaded in the configuration database. We don't recommend replacing the files in this directory with your private key, certificate, and intermediary bundle files.

If you did replace the self-signed certificates in the web-ssl folder, you should import the files to the configuration database key values instead:

  • Convert /usr/local/openvpn_as/etc/web-ssl files to configuration database key values:

    sacli --import GetActiveWebCerts
In this section: