Reissuing an expired certificate on an OpenVPN server

Reissuing an expired certificate on an OpenVPN server

When connecting to the OpenVPN server, an error suddenly appears

Mon Nov 19 05:42:24 2018 VERIFY ERROR: depth=1, error=certificate has expired: C=RU, ST=ru, L=Moscow, O=Domain, CN=Domain CA, [email protected]
Mon Nov 19 05:42:24 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon Nov 19 05:42:24 2018 TLS_ERROR: BIO read tls_read_plaintext error
Mon Nov 19 05:42:24 2018 TLS Error: TLS object -> incoming plaintext read error
Mon Nov 19 05:42:24 2018 TLS Error: TLS handshake failed

After analysis, it turned out that the certificate of the certification authority (ca.crt) of the OpenVPN server has expired.

To fix this error, we reissue the self-signed certificate of the certification authority

[[email protected] keys]# openssl x509 -in ca.crt -days 3650 -out ca-new.crt -signkey ca.key
Getting Private key

Where

ca.crt - просроченный сертификат
ca-new.crt - новый сертификат
ca.key - ключ сертификата 
3650 - срок действия, в днях

The old certificate file ca.key can be deleted, the new one (ca-new.crt) can be renamed to ca.crt

Checking

[[email protected] keys]# openssl verify -CAfile ca.crt client-username.crt
client-username.crt: OK

Next, we reissue the server certificate

[[email protected] keys]# cd ../
[[email protected] 2.0]# . ./vars
[[email protected] 2.0]# ./build-key-server server

and restart OpenVPN

[[email protected] keys]# service openvpn restart

Now, in order for users to be able to connect to the OpenVPN server, they need to replace the old certificate of the ca.crt certification authority with a new one on their PC

Sidebar