Replacing 1024-bit VPN certificate structure

Upgrade to Latest Version

Introduction

This document explains how to replace your 1024-bit VPN certificates for Access Server with more secure ones by following this procedure:

  1. Create a new CA certificate.
  2. Migrate VPN clients to the new CA certificate.
  3. Delete your old CA and certificates.

If you have 1024-bit CAs on your server, Access Server 2.9.2 and newer posts, “Your Access server uses a legacy CA with a RSA key size of less than 2048-bit. This causes problems with systems that have stricter security defaults”. The message no longer displays once you no longer use 1024-bit CAs on your VPN server.

We recommend replacing 1024-bit certificates, which are no longer considered secure. We have a mitigation in place specifically for the VPN certificate infrastructure should you still have a 1024-bit CA, but we recommend that you take action to upgrade this to a more secure type. Specifically, with Access Server 2.12 and newer, we recommend the secp384r1 algorithm.

When we brought Access Server to the market, 1024-bit RSA keys were considered secure — Access Server generated 1024-bit VPN certificates by default. This changed to 2048-bit with Access Server release 2.0.5 and secp384r1 with release 2.12.0. If you initially set up Access Server with a version older than 2.0.5, it likely still has the 1024-bit certificates, even if you've upgraded. Access Server retains the same bit size during upgrades to maintain compatibility with existing VPN client installations.

OpenVPN Access Server 2.9 and newer gives you a more advanced management system for VPN certificates. You can add a new, more secure CA to generate new VPN certificates while continuing to allow clients with the old 1024-bit certificates to connect. This allows a graceful migration from 1024-bit to a more secure key. You can then update the VPN connection profiles on the VPN clients to complete the migration to the new CA, but at your own pace — the old ones still function alongside the new ones.

Note: We recommend secp384r1 for the new CA. Other options are available, but we don't recommend them as they may not offer sufficient additional protection, or they may cause compatibility issues.

Note: Before you begin, we recommend that you have a backup of your server configuration in case you need to roll back for whatever reason.

Consequences of staying on 1024-bit CA

Today's security standards focus on deprecating 1024-bit certificates. Continuing to use 1024-bit certificates puts you at risk of no longer establishing a VPN connection for reasons such as operating systems with default security settings that prohibit using 1024-bit certificates. While you may be able to lower these security settings to allow the use of 1024-bit certificates that goes against security best practices. The OpenVPN core has mitigation possibilities to keep using 1024-bit certificates, but we may eventually phase them out on newer releases. We encourage you to move to more secure certificates, and Access Server 2.9 and newer allows you to do this transition gracefully.

Create a new CA certificate

Follow these steps to create a new CA certificate. Access Server allows connections from clients using previous certificates even after creating a new CA and new certificates. This is accomplished using cross-signing.

  1. Sign in to your Admin Web UI.
  2. Click Configuration > CA Management.
  3. Click the Create New CA tab.
  4. Choose a signing algorithm (recommended algorithm: secp384r1).
  5. Click Create New CA.

Creating a new CA forces a service-level restart of your Access Server, temporarily disconnecting connected VPN clients. After the restart completes, you can sign in again to see your old and new CA under CA Overview on the CA Management page. Access Server accepts VPN clients using certificates from either CA.

Migrate VPN Clients to new CA certificate

Most of your VPN clients will continue using old certificates until your users download new profiles. They can do this within OpenVPN Connect or from the Client Web UI.

Import a new profile in OpenVPN Connect

  1. Start the OpenVPN Connect app.
  2. Click the Add icon.
  3. Enter the URL for your Access Server.
  4. Enter the username and password.
  5. Click Import.

Download a profile from Client Web UI

  1. Sign in to the Client Web UI (IP address or custom hostname for your Access Server, without ‘/admin’ at the end).
  2. Download a .ovpn profile.
  3. Start the OpenVPN Connect app.
  4. Click the Add icon.
  5. Click File.
  6. Drag and drop the .ovpn profile into the window or click Browse to select it from its folder location.

Download a pre-configured OpenVPN Connect from Client Web UI

  1. Sign in to the Client Web UI.
  2. Download OpenVPN Connect for the correct platform.

Plan to delete your old CA and certificates

The warning message regarding the presence of a 1024-bit CA only disappears once you've removed the last 1024-bit CA from the server. 

Before this last step, ensure all your users have new connection profiles using the new CA. When you delete the old CA, connections fail for VPN clients using old connection profiles.

In the Admin Web UI, you can view profiles associated with the old CA:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CA Management.
  3. Find the old CA and click View Profiles.
  4. Review the profiles and the Last Used dates.

If you are satisfied that your users have migrated to new profiles and you can delete the old CA, follow the steps below. Deleting a CA forces a service-level restart of your Access Server, temporarily disconnecting connected VPN clients.

Delete the old CA:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CA Management.
  3. Click Delete for the old CA.
  4. Review the notification window and check the box, “Delete this CA and all associated User Profiles.”
  5. Click Delete.
  6. Click Update Running Server.