Page 1 of 1

server certificate expired how to fix step by step

Posted: Thu Feb 22, 2024 4:12 pm
by danygug
need to replace only server.crt and server.key files
no change needed at clients side

1. delete old server.crt key and all files related to it
in my case (debian linux):
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/issued/server.crt
rm /etc/easy-rsa/pki/private/server.key
rm /etc/easy-rsa/pki/reqs/server.req (maybe you will not have this file so ignore and continue)

2. generate new certificate named server.crt
go to your easyrsa folder (in my case cd /etc/easy-rsa)
and run
./easyrsa build-server-full server nopass

3. find your new generated certifiacte in
* easy-rsa/pki/issued folder and validate that you have new server.crt by file creation date.
* easy-rsa/pki/private folder and validate that you have new server.key by file creation date.

4. Ensure that server.crt expire date is plus 2 years from now. run
openssl x509 -in /etc/easy-rsa/pki/issued/server.crt -text -noout | grep "Not After"


server.crt is regular txt file so open it and find Validity section "Not After" line to validate
expiration date. it shoud be good for 2 years from now.

5. Copy new server.crt and server.key to openvpn server folders

copy easy-rsa/pki/issued/server.crt to /etc/openvpn/server/issued
copy easy-rsa/pki/privateserver.key to /etc/openvpn/server/private

6. Now you must restart openvpn service
systemctl restart openvpn or sudo systemctl restart openvpn
in my case it did not work so i restarted my linux server and it worked after server restart

Re: server certificate expired how to fix step by step

Posted: Fri Feb 23, 2024 6:28 pm
by TinCanTech
Which version of Easy-RSA are you using ?

Modern Easy-RSA can renew a certificate.

Also, your how-to is technically incorrect and bad practice.