| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114 |
- <!DOCTYPE html>
- <html lang="en" xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <title>Replace OpenVPN Access Server VPN Server and CA Certificates</title>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
- <meta charset="UTF-8">
- <meta name="keywords" content="OpenVPN,OpenVPN Access Server,Access Server,PKI,Private Key Infrastructure,Certificates,CA,Certificate Authority,How To,Tutorial,i12bretro">
- <meta name="author" content="i12bretro">
- <meta name="description" content="Replace OpenVPN Access Server VPN Server and CA Certificates">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- <meta name="revised" content="10/24/2022 10:38:49 AM" />
- <link rel="icon" type="image/x-icon" href="includes/favicon.ico">
- <script type="text/javascript" src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
- <script type="text/javascript" src="includes/js/steps.js"></script>
- <link href="css/steps.css" rel="stylesheet" type="text/css" />
- </head>
- <body>
- <div id="gridContainer">
- <div class="topMargin"></div>
- <div id="listName" class="topMargin">
- <h1>Replace OpenVPN Access Server VPN Server and CA Certificates</h1>
- </div>
- <div></div>
- <div id="content">
- <p>NOTE: Following this procedure will invalidate any client certificates currently in use with the OpenVPN Access Server. These clients will need to re-download their certificates from the OpenVPN Access Server to get connected using the updated certificates</p>
- <h2>Prerequisites</h2>
- <ul>
- <li class="noCheckbox">A XCA PKI database <a href="https://youtu.be/ezzj3x207lQ" target="_blank">https://youtu.be/ezzj3x207lQ</a></li>
- </ul>
- <h2>Create OpenVPN Server Certificate</h2>
- <ol>
- <li>Launch XCA</li>
- <li>Open the PKI database if it is not already (File > Open DataBase), enter password</li>
- <li>Click on the Certificates tab, right click on your Intermediate CA certificate</li>
- <li>Select New</li>
- <li>On the Source tab, make sure Use this Certificate for signing is selected</li>
- <li>Verify your Intermediate CA certificate is selected from the drop down</li>
- <li>Click the Subject tab</li>
- <li>Complete the Distinguished Name section
- <p>internalName: OpenVPN CA<br />
- countryName: US<br />
- stateOrProvinceName: Virginia<br />
- localityName: Northern<br />
- organizationName: i12bretro<br />
- organizationUnitName: i12bretro Certificate Authority<br />
- commonName: OpenVPN CA</p>
- </li>
- <li>Click the Generate a New Key button</li>
- <li>Enter a name and set the key size to at least 2048</li>
- <li>Click Create</li>
- <li>Click on the Extensions tab</li>
- <li>Select Certificate Authority from the type list</li>
- <li>Update the validity dates to fit your needs</li>
- <li>Click the Key Usage tab</li>
- <li>Under Key Usage select Digital Signature, Key Agreement and Certificate Sign</li>
- <li>Click OK to create the certificate</li>
- <li>Click on the Certificates tab, right click on your Intermediate CA certificate again</li>
- <li>Select New</li>
- <li>On the Source tab, make sure Use this Certificate for signing is selected</li>
- <li>Verify your Intermediate CA certificate is selected from the drop down</li>
- <li>Click the Subject tab</li>
- <li>Complete the Distinguished Name section
- <p>internalName: OpenVPN Server<br />
- countryName: US<br />
- stateOrProvinceName: Virginia<br />
- localityName: Northern<br />
- organizationName: i12bretro<br />
- organizationUnitName: i12bretro Certificate Authority<br />
- commonName: vpn.i12bretro.local</p>
- </li>
- <li>Click the Generate a New Key button</li>
- <li>Enter a name and set the key size to at least 2048</li>
- <li>Click Create</li>
- <li>Click on the Extensions tab</li>
- <li>Set the Type dropdown to End Endity</li>
- <li>Check the box next to Subject Key Identifier</li>
- <li>Update the validity dates to fit your needs</li>
- <li>Click the Key Usage tab</li>
- <li>Under Key Usage select Digital Signature and Key Encipherment</li>
- <li>Under Extended Key Usage select TLS Web Server Authentication</li>
- <li>Click the Netscape tab</li>
- <li>Deselect all options and clear the Netscape Comment field</li>
- <li>Click OK to create the certificate</li>
- </ol>
- <h2>Updating OpenVPN Access Server With New Certificates</h2>
- <ol>
- <li>Open a web browser and navigate to phpMyAdmin</li>
- <li>Expand as > as_certs > certificates</li>
- <li>Check the boxes next to OpenVPN CA and OpenVPN Server > Select edit below the table</li>
- <li>In XCA, click on the Certificates tab > right click on the OpenVPN CA > Export > Clipboard</li>
- <li>Back in phpMyAdmin, clear the cert field for the OpenVPN CA and paste the contents of the clipboard</li>
- <li>In XCA, click on the Private Keys tab > right click on the OpenVPN CA > Export > Clipboard</li>
- <li>Make sure the format dropdown is set to PKCS #8 > Click OK</li>
- <li>Back in phpMyAdmin, clear the priv_key field for the OpenVPN CA and paste the contents of the clipboard</li>
- <li>In XCA, click on the Certificates tab > right click on the OpenVPN Server > Export > Clipboard</li>
- <li>Back in phpMyAdmin, clear the cert field for the OpenVPN Server and paste the contents of the clipboard</li>
- <li>In XCA, click on the Private Keys tab > right click on the OpenVPN Server > Export > Clipboard</li>
- <li>Make sure the format dropdown is set to PKCS #8 > Click OK</li>
- <li>Back in phpMyAdmin, clear the priv_key field for the OpenVPN Server and paste the contents of the clipboard</li>
- <li>Log into the OpenVPN Access Server admin interface https://DNSorIP:943/admin</li>
- <li>Click the Stop VPN services button</li>
- <li>Click the Confirm Stop button</li>
- <li>Click the Start VPN services button</li>
- </ol> </div>
- </div>
- </body>
- </html>
-
|
