Do I have to generate new ca & server certs?

[bk6662]

Good morning,

After getting my VPN working and testing on a Kali client, I moved on to my next task; getting OpenVPN working on my Yealink VoIP phone. I spent days on this, but couldn't get it working. I'd see multiple server log entries indicating a TLS mismatch.

Yesterday I finally found a post indicating the problem is that my phone only supports SHA1, whereas my VPN certificates are signed with SHA256. I don't remember seeing this option when I generated the CA, Client & Server certificates. I guess the best solution is to get a new phone that supports SHA256 & higher. But in the meantime I have a few questions.

- Can I generate new certificates using SHA1?
- How do I specify which signing algorithm I use (SHA1 or SHA256)?
- If I did this, would I need to rebuild certificates for my existing VPN clients? Or is it possible to generate a CA only for the phone, but continue to use existing certificates for existing clients?

I'm still really green in this area; would really appreciate if anybody can point me to documentation that clearly defines the different certificates, scope, and how they are implemented in OpenVPN.

Thank you!