server certificate expired how to fix step by step

[danygug]

need to replace only server.crt and server.key files
no change needed at clients side

1. delete old server.crt key and all files related to it
in my case (debian linux):
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/issued/server.crt
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/reqs/server.req (maybe you will not have this file so ignore and continue)

2. generate new certificate named server.crt
go to your easyrsa folder (in my case cd /etc/easy-rsa)
and run
./easyrsa build-server-full server nopass

3. find your new generated certifiacte in
* easy-rsa/pki/issued folder and validate that you have new server.crt by file creation date.
* easy-rsa/pki/private folder and validate that you have new server.key by file creation date.

4. Ensure that server.crt expire date is plus 2 years from now. run
openssl x509 -in /etc/easy-rsa/pki/issued/server.crt -text -noout | grep "Not After"

or

server.crt is regular txt file so open it and find Validity section "Not After" line to validate
expiration date. it shoud be good for 2 years from now.

5. Copy new server.crt and server.key to openvpn server folders

copy easy-rsa/pki/issued/server.crt to /etc/openvpn/server/issued
copy easy-rsa/pki/privateserver.key to /etc/openvpn/server/private

6. Now you must restart openvpn service
run
systemctl restart openvpn or sudo systemctl restart openvpn
in my case it did not work so i restarted my linux server and it worked after server restart

[TinCanTech]

Which version of Easy-RSA are you using ?

Modern Easy-RSA can renew a certificate.

Also, your how-to is technically incorrect and bad practice.