Replacing 1024-bit VPN certificate structure

This document explains how to replace your 1024-bit VPN certificates for OpenVPN Access Server with more secure ones. As of OpenVPN Access Server 2.9.2, you will receive a message stating that “Your Access server uses a legacy CA with a RSA key size of less than 2048-bit. This causes problems with systems that have stricter security defaults” while you have a 1024-bit CA in your server. The message will disappear once no 1024-bit CAs are in use on your VPN server anymore.

Security default settings are now such that 1024-bit certificates are not considered secure anymore. Such settings can prevent the use of 1024-bit certificates. We have a mitigation in place specifically for the VPN certificate infrastructure should you still have a 1024-bit CA but we recommend that you take action to upgrade this to a more secure type.

When OpenVPN Access Server was brought to the market, 1024-bit RSA keys were considered secure and the default at the time was to generate VPN certificates with 1024-bit key size. This changed to 2048-bit with Access Server release 2.0.5. If your Access Server was originally set up with a prior version it will almost certainly still have the 1024-bit certificates, even if the installation was upgraded to the latest version. During upgrades Access Server retains the same bit size. This is done to maintain compatibility with existing VPN client installations.

OpenVPN Access Server 2.9 introduces a more advanced management system for VPN certificates. It is now possible to add a new more secure CA which will be used to generate new VPN certificates while at the same time allowing clients with the old 1024-bit certificates to connect. This allows a graceful migration from 1024-bit to a more secure key. The VPN connection profiles still need to be updated on the VPN client to complete the migration to the new CA but this can be done at your own pace - the old ones will still function alongside the new.

Note: We recommend RSA 2048 or secp384r1 for the new CA. Other options are available but are not currently recommended as they may either not offer sufficient additional protection or they may cause compatibility issues.

Note: We recommend that before you begin, that you have a backup of your server configuration, in case you need to rollback for whatever reason.

Consequences of staying on 1024-bit CA

The security standards of today are focused on deprecating 1024-bit certificates. Eventually certain devices may simply not be able to establish a VPN connection anymore with 1024-bit certificates. Already we see that certain operating systems have default security settings that prohibit the use of 1024-bit certificates. While it is in many cases possible to lower these security settings to keep allowing the use of 1024-bit certificates it is certainly not recommended to do so. The OpenVPN core itself has mitigation possibilities to keep using 1024-bit certificates, but on newer releases eventually those may be phased out entirely. We therefore encourage you to move to more secure certificates, and OpenVPN Access Server as of version 2.9 provides you with the ability to do this transition in a graceful manner.

Create a new CA certificate

Follow these steps to create a new CA certificate. Access Server allows connections from clients using previous certificates even after creating a new CA and new certificates. This is accomplished using cross-signing.

  1. Sign in to your Admin Web UI.
  2. Click Configuration > CA Management.
  3. Click the Create New CA tab.
  4. Choose a signing algorithm (recommended algorithm: RSA 2048 or secp384r1).
  5. Click Create New CA.

Creating a new CA forces a service-level restart of your Access Server. This will temporarily disconnect currently connected VPN clients. After the restart completes, you can sign in again to see your old and new CA under CA Overview on the CA Management page. Access Server accepts VPN clients using certificates from either CA.

Migrate VPN Clients to new CA certificate

VPN clients will in most cases continue to use the old certificates until they download a new profile. They can do this within OpenVPN Connect or by using the Client UI.

Import a new profile in OpenVPN Connect

  1. Start the OpenVPN Connect app.
  2. Click the Add icon.
  3. Enter the URL for your Access Server.
  4. Enter the username and password.
  5. Click Import.

Download a profile from Client UI

  1. Sign in to the Client UI (IP address or custom hostname for your Access Server, without ‘/admin’ at the end).
  2. Download a .ovpn profile.
  3. Start the OpenVPN Connect app.
  4. Click the Add icon.
  5. Click File.
  6. Drag and drop the .ovpn profile into the window or click Browse to select it from its folder location.

Download a pre-configured OpenVPN Connect from Client UI

  1. Sign in to the Client UI.
  2. Download OpenVPN Connect for the correct platform.

Plan to delete your old CA and certificates

The warning message regarding the presence of a 1024-bit CA only disappears once the last 1024-bit CA has been removed from the server. Only do this last step once you are sure all of your users are using the new connection profiles that use the new CA. Deleting the old CA will prevent the old connection profiles from being able to make a connection. In the Admin UI you can see which profiles are associated with the old CA, and for each user profile you can see when it was last used. If you are satisfied that your users have migrated to new profiles and the old CA can be deleted, you can follow the steps below to delete the old CA. Deleting a CA forces a service-level restart of your Access Server. This will temporarily disconnect currently connected VPN clients.

Prior to deleting, you can review all of the associated user profiles for your old CA:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CA Management.
  3. Click View Profiles for the old CA.
  4. Review the user profiles associated with the old CA.

Delete the old CA:

  1. Sign in to the Admin Web UI.
  2. Click Configuration > CA Management.
  3. Click Delete for the old CA.
  4. Review the notification window and check the box, “Delete this CA and all associated User Profiles”.
  5. Click Delete.
  6. Click Update Running Server.