Page 1 of 1

server certificate expired how to fix step by step

Posted: Thu Feb 22, 2024 4:12 pm
by danygug
need to replace only server.crt and server.key files
no change needed at clients side

1. delete old server.crt key and all files related to it
in my case (debian linux):
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/issued/server.crt
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/reqs/server.req (maybe you will not have this file so ignore and continue)

2. generate new certificate named server.crt
go to your easyrsa folder (in my case cd /etc/easy-rsa)
and run
./easyrsa build-server-full server nopass

3. find your new generated certifiacte in
* easy-rsa/pki/issued folder and validate that you have new server.crt by file creation date.
* easy-rsa/pki/private folder and validate that you have new server.key by file creation date.

4. Ensure that server.crt expire date is plus 2 years from now. run
openssl x509 -in /etc/easy-rsa/pki/issued/server.crt -text -noout | grep "Not After"

or

server.crt is regular txt file so open it and find Validity section "Not After" line to validate
expiration date. it shoud be good for 2 years from now.

5. Copy new server.crt and server.key to openvpn server folders

copy easy-rsa/pki/issued/server.crt to /etc/openvpn/server/issued
copy easy-rsa/pki/privateserver.key to /etc/openvpn/server/private

6. Now you must restart openvpn service
run
systemctl restart openvpn or sudo systemctl restart openvpn
in my case it did not work so i restarted my linux server and it worked after server restart

Re: server certificate expired how to fix step by step

Posted: Fri Feb 23, 2024 6:28 pm
by TinCanTech
Which version of Easy-RSA are you using ?

Modern Easy-RSA can renew a certificate.

Also, your how-to is technically incorrect and bad practice.

Re: server certificate expired how to fix step by step

Posted: Fri Aug 23, 2024 10:21 pm
by camdenjc
I cannot figure out how to make a new topic, but anyway I am really struggling with setting up OpenVPN connection to Araknis first I get this error message "No server certificate verification method has been enabled." I put something in the config file I read to get around that then I was have a TLS negotiation/handoff issue. If anyone could help me through this it would be greatly appreciated.