server certificate expired how to fix step by step

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
OpenVpn Newbie
Posts: 1
Joined: Thu Feb 22, 2024 4:03 pm

server certificate expired how to fix step by step

Post by danygug » Thu Feb 22, 2024 4:12 pm

need to replace only server.crt and server.key files
no change needed at clients side

1. delete old server.crt key and all files related to it
in my case (debian linux):
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/issued/server.crt
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/reqs/server.req (maybe you will not have this file so ignore and continue)

2. generate new certificate named server.crt
go to your easyrsa folder (in my case cd /etc/easy-rsa)
and run
./easyrsa build-server-full server nopass

3. find your new generated certifiacte in
* easy-rsa/pki/issued folder and validate that you have new server.crt by file creation date.
* easy-rsa/pki/private folder and validate that you have new server.key by file creation date.

4. Ensure that server.crt expire date is plus 2 years from now. run
openssl x509 -in /etc/easy-rsa/pki/issued/server.crt -text -noout | grep "Not After"


server.crt is regular txt file so open it and find Validity section "Not After" line to validate
expiration date. it shoud be good for 2 years from now.

5. Copy new server.crt and server.key to openvpn server folders

copy easy-rsa/pki/issued/server.crt to /etc/openvpn/server/issued
copy easy-rsa/pki/privateserver.key to /etc/openvpn/server/private

6. Now you must restart openvpn service
systemctl restart openvpn or sudo systemctl restart openvpn
in my case it did not work so i restarted my linux server and it worked after server restart

OpenVPN Protagonist
Posts: 11136
Joined: Fri Jun 03, 2016 1:17 pm

Re: server certificate expired how to fix step by step

Post by TinCanTech » Fri Feb 23, 2024 6:28 pm

Which version of Easy-RSA are you using ?

Modern Easy-RSA can renew a certificate.

Also, your how-to is technically incorrect and bad practice.

Post Reply