安装Replace OpenVPN Access Server VPN Server and CA Certificates

NOTE: Following this procedure will invalidate any client certificates currently in use with the OpenVPN Access Server. These clients will need to re-download their certificates from the OpenVPN Access Server to get connected using the updated certificates

Prerequisites

• A XCA PKI database https://youtu.be/ezzj3x207lQ

Create OpenVPN Server Certificate

1. Launch XCA
2. Open the PKI database if it is not already (File > Open DataBase), enter password
3. Click on the Certificates tab, right click on your Intermediate CA certificate
4. Select New
5. On the Source tab, make sure Use this Certificate for signing is selected
6. Verify your Intermediate CA certificate is selected from the drop down
7. Click the Subject tab
8. Complete the Distinguished Name section

   internalName: OpenVPN CA
   countryName: US
   stateOrProvinceName: Virginia
   localityName: Northern
   organizationName: i12bretro
   organizationUnitName: i12bretro Certificate Authority
   commonName: OpenVPN CA

9. Click the Generate a New Key button
10. Enter a name and set the key size to at least 2048
11. Click Create
12. Click on the Extensions tab
13. Select Certificate Authority from the type list
14. Update the validity dates to fit your needs
15. Click the Key Usage tab
16. Under Key Usage select Digital Signature, Key Agreement and Certificate Sign
17. Click OK to create the certificate
18. Click on the Certificates tab, right click on your Intermediate CA certificate again
19. Select New
20. On the Source tab, make sure Use this Certificate for signing is selected
21. Verify your Intermediate CA certificate is selected from the drop down
22. Click the Subject tab
23. Complete the Distinguished Name section

    internalName: OpenVPN Server
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: vpn.i12bretro.local

24. Click the Generate a New Key button
25. Enter a name and set the key size to at least 2048
26. Click Create
27. Click on the Extensions tab
28. Set the Type dropdown to End Endity
29. Check the box next to Subject Key Identifier
30. Update the validity dates to fit your needs
31. Click the Key Usage tab
32. Under Key Usage select Digital Signature and Key Encipherment
33. Under Extended Key Usage select TLS Web Server Authentication
34. Click the Netscape tab
35. Deselect all options and clear the Netscape Comment field
36. Click OK to create the certificate

Updating OpenVPN Access Server With New Certificates

1. Open a web browser and navigate to phpMyAdmin
2. Expand as > as_certs > certificates
3. Check the boxes next to OpenVPN CA and OpenVPN Server > Select edit below the table
4. In XCA, click on the Certificates tab > right click on the OpenVPN CA > Export > Clipboard
5. Back in phpMyAdmin, clear the cert field for the OpenVPN CA and paste the contents of the clipboard
6. In XCA, click on the Private Keys tab > right click on the OpenVPN CA > Export > Clipboard
7. Make sure the format dropdown is set to PKCS #8 > Click OK
8. Back in phpMyAdmin, clear the priv_key field for the OpenVPN CA and paste the contents of the clipboard
9. In XCA, click on the Certificates tab > right click on the OpenVPN Server > Export > Clipboard
10. Back in phpMyAdmin, clear the cert field for the OpenVPN Server and paste the contents of the clipboard
11. In XCA, click on the Private Keys tab > right click on the OpenVPN Server > Export > Clipboard
12. Make sure the format dropdown is set to PKCS #8 > Click OK
13. Back in phpMyAdmin, clear the priv_key field for the OpenVPN Server and paste the contents of the clipboard
14. Log into the OpenVPN Access Server admin interface https://DNSorIP:943/admin
15. Click the Stop VPN services button
16. Click the Confirm Stop button
17. Click the Start VPN services button