Replace OpenVPN Access Server VPN Server and CA Certificates

Channel:

i12bretro

Subscribers:

14,400

Published on November 7, 2021 10:00:00 AM ● Video Link: https://www.youtube.com/watch?v=0mzqqUBUp_s

Duration: 4:26

1,176 views

2

#OpenVPN #AccessServer #CertificateAuthority

Full steps can be found at https://i12bretro.github.io/tutorials/0214.html

NOTE: Following this procedure will invalidate any client certificates currently in use with the OpenVPN Access Server. These clients will need to re-download their certificates from the OpenVPN Access Server to get connected using the updated certificates
 
--------------------------------------------------------------------
Prerequisites
--------------------------------------------------------------------
   - A XCA PKI database  https://youtu.be/ezzj3x207lQ
 
--------------------------------------------------------------------
Create OpenVPN Server Certificate
--------------------------------------------------------------------
   01. Launch XCA
   02. Open the PKI database if it is not already (File ≫ Open DataBase), enter password
   03. Click on the Certificates tab, right click on your Intermediate CA certificate
   04. Select New
   05. On the Source tab, make sure Use this Certificate for signing is selected
   06. Verify your Intermediate CA certificate is selected from the drop down
   07. Click the Subject tab
   08. Complete the Distinguished Name section
         internalName: OpenVPN CA
         countryName: US
         stateOrProvinceName: Virginia
         localityName: Northern
         organizationName: i12bretro
         organizationUnitName: i12bretro Certificate Authority
         commonName: OpenVPN CA
   09. Click the Generate a New Key button
   10. Enter a name and set the key size to at least 2048
   11. Click Create
   12. Click on the Extensions tab
   13. Select Certificate Authority from the type list
   14. Update the validity dates to fit your needs
   15. Click the Key Usage tab
   16. Under Key Usage select Digital Signature, Key Agreement and Certificate Sign
   17. Click OK to create the certificate
   18. Click on the Certificates tab, right click on your Intermediate CA certificate again
   19. Select New
   20. On the Source tab, make sure Use this Certificate for signing is selected
   21. Verify your Intermediate CA certificate is selected from the drop down
   22. Click the Subject tab
   23. Complete the Distinguished Name section
         internalName: OpenVPN Server
         countryName: US
         stateOrProvinceName: Virginia
         localityName: Northern
         organizationName: i12bretro
         organizationUnitName: i12bretro Certificate Authority
         commonName: vpn.i12bretro.local
   24. Click the Generate a New Key button
   25. Enter a name and set the key size to at least 2048
   26. Click Create
   27. Click on the Extensions tab
   28. Set the Type dropdown to End Endity
   29. Check the box next to Subject Key Identifier
   30. Update the validity dates to fit your needs
   31. Click the Key Usage tab
   32. Under Key Usage select Digital Signature and Key Encipherment
   33. Under Extended Key Usage select TLS Web Server Authentication
   34. Click the Netscape tab
   35. Deselect all options and clear the Netscape Comment field
   36. Click OK to create the certificate
 
--------------------------------------------------------------------
Updating OpenVPN Access Server With New Certificates
--------------------------------------------------------------------
   01. Open a web browser and navigate to phpMyAdmin
   02. Expand as ≫ as_certs ≫ certificates
   03. Check the boxes next to OpenVPN CA and OpenVPN Server ≫ Select edit below the table
   04. In XCA, click on the Certificates tab ≫ right click on the OpenVPN CA ≫ Export ≫ Clipboard
   05. Back in phpMyAdmin, clear the cert field for the OpenVPN CA and paste the contents of the clipboard
   06. In XCA, click on the Private Keys tab ≫ right click on the OpenVPN CA ≫ Export ≫ Clipboard
   07. Make sure the format dropdown is set to PKCS #8 ≫ Click OK
   08. Back in phpMyAdmin, clear the priv_key field for the OpenVPN CA and paste the contents of the clipboard
   09. In XCA, click on the Certificates tab ≫ right click on the OpenVPN Server ≫ Export ≫ Clipboard
   10. Back in phpMyAdmin, clear the cert field for the OpenVPN Server and paste the contents of the clipboard
   11. In XCA, click on the Private Keys tab ≫ right click on the OpenVPN Server ≫ Export ≫ Clipboard
   12. Make sure the format dropdown is set to PKCS #8 ≫ Click OK
   13. Back in phpMyAdmin, clear the priv_key field for the OpenVPN Server and paste the contents of the clipboard
   14. Log into the OpenVPN Access Server admin interface https://DNSorIP:943/admin
   15. Click the Stop VPN services button
   16. Click the Confirm Stop button
   17. Click the Start VPN services button
 


### Connect with me and others ###
★ Discord: https://discord.com/invite/EzenvmSHW8
★ Reddit: https://reddit.com/r/i12bretro
★ Twitter: https://twitter.com/i12bretro