Introduction
Access Server supports multiple CA certificates. Refer to CA Certificate Management for details about managing these from the Admin Web UI. This documentation details advanced configuration options using the command-line interface (CLI).
You need to connect to your Access Server console with root privileges to run the commands explained here.
CA commands
This table outlines the commands you can use with Access Server's sa tool for managing CA certificates from the CLI. The sections following present examples of using the commands and options.
| Commands and options | Use |
| SetPKIConfig | Set the PKI configuration settings. Use this command to set a specific value. |
| ShowPKIConfig | Show the PKI configuration settings. Use this command to display your current PKI configuration settings. |
| --ca_renew_after_days= | Set the number of days for renewing the CA certificate. The default is 365 days on the latest Access Server versions. Automatic renewal occurs when the set number of days is reached. |
| --client_certificate_lifetime= | Set the number of days for the client certificate's expiration. The default is 3650 days from the date of the server's CA certificate (ten years). |
| --obfuscate_certs= | Use client_{serial_number] instead of the real common name when Access Server generates a client certificate — set to true or false. The default is false. |
| --random_serial_numbers= | Use this to choose whether Access Server assigns random serial numbers — set to true or false. The default is true as of Access Server 2.12.0. |
Display the current PKI configuration
Access Server 2.12.0 introduced command-line support for the CA management. You can display the current public key infrastructure (PKI) configuration:
- Connect to your Access Server's console with root privileges.
- Run this command:
/usr/local/openvpn_as/scripts/sa showpkiconfig
- On a clean install of Access Server 2.12.0 and newer, this is the expected result:
Configuration key Value
random_serial_numbers true
client_certificate_lifetime 3650
ca_certificate_lifetime 3650
ca_renew_after_days 365
obfuscate_certs false
- On a clean install of Access Server 2.12.0 and newer, this is the expected result:
Managing the CA renewal period
Access Server 2.12.0 introduced support for defining the CA renewal period. You can do this from your Access Server's command-line interface (CLI).
The default renewal period is set to 365 days — Access Server generates new CA and server certificates when it's greater than or equal to 365 days since the last certificate generation.
To change this interval:
- Connect to your Access Server's console with root privileges.
- Run these commands (replace [VALUE] with your desired number of days):
/usr/local/openvpn_as/scripts/sa --ca_renew_after_days=[VALUE] setpkiconfig
service openvpnas restart - Check the change with this command:
/usr/local/openvpn_as/scripts/sa showpkiconfig
Access Server now renews CA certificates after the defined days for the custom value pass.
Managing client certificate expiration
Access Server 2.12.0 introduced support for defining the client certificate expiration date. You can do this from your Access Server's command-line interface (CLI).
The default expiration date is the same as the signing CA expiration date.
To set a specific certificate lifetime (such as one or two years):
- Connect to your Access Server's console with root privileges.
- Run these commands (replace [VALUE] with your desired number of days):
/usr/local/openvpn_as/scripts/sa --client_certificate_lifetime=[VALUE] setpkiconfig
service openvpnas restart - Check the change with this command:
/usr/local/openvpn_as/scripts/sa showpkiconfig
When a user downloads a new profile, it's generated with the new certificate lifetime. You can view the new expiration date in the Admin Web UI from the User Profiles page.