How to replace the Access Server private key and certificate
There are two options that an Administrator can use for importing signed SSL Certificates into OpenVPN-AS:
You can import the certificates using the “Web Server” page in the Admin UI, import webserver CA Bundle, Cert and Key, then click Validate
to ensure that the server accepts the new certificate:
You can replace the certificate via the backend:
To replace the automatically-generated key and certificate with a new key and certificate issued by a trusted CA (Certificate Authority), take the steps listed below.
1. Make sure you know the desired hostname for your server. This name will be the public name used by VPN clients to connect to your Access Serve, and it should also be specified as the “Hostname or IP Address:” on the “Server Network Settings” page in the Access Server Admin Web UI. The hostname will be encoded in your certificate from the CA, so it will not be changable.
2. Make a copy of the files in /usr/local/openvpn_as/etc/web-ssl/ into a backup directory, just in case.
3. Generate the new keypair and CSR (Certificate Signing Request)using these commands on your Access Server host machine:
In the last step, you will be prompted for input. Your CA may have certain requirements on the fields you specify. Often it is desirable to have the Common Name on the CSR match the hostname of your server. An example run of the above commands is shown below. Note that several fields are left blank by just hitting Return at the input prompt.
4. Give the contents of the “new.csr” file to your CA (via a Web upload or email or whatever method is preferred).
5. The CA may perform additional verification of your identity and/or your rights to use the names you specified. You may also have to pay for the certification service. In the end, the CA will provide a certificate and probably also a bundle with one or more CA certificates. All of these certificates should be PEM-encoded text strings, including BEGIN/END lines:
6. Save the server certificate (issued by the CA) as the file server.crt in /usr/local/openvpn_as/etc/web-ssl (overwriting the existing file).
7. Copy the new.key file as server.key in /usr/local/openvpn_as/etc/web-ssl.
8. Save the CA certificate bundle as ca.crt in the /usr/local/openvpn_as/etc/web-ssl directory. The CA certificates should appear in order, with the first certificate being that of the CA that issued the server certificate, and the last certificate being that of the “trusted root CA”. The certificates can be concatenated, with the BEGIN and END lines included (so that the BEGIN line of one certificate follows the END line of the previous one).
7. Restart the Access Server using this command:
The new key and certificate should now be in use.