Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Server Certificate will expire

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 755 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      M0L50N
      last edited by M0L50N

      Hi,

      My CA will expire in 9 years
      My Server certificate will expire december 12th
      My client certificate will expire in 9 years

      I'm with pfsense 2.5.2 Freebsd 12.2

      How can I simply renew my server certificate without any change to my clients? I dont want to send new config files to everyone.

      Thanks for your suggestions!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @M0L50N
        last edited by

        @m0l50n
        Changes on the client are only necessary if you have to renew the clients cert or the CA.

        For the server cert, simply generate a new one using the proper CA and assign it to the OpenVPN server instance.

        M 1 Reply Last reply Reply Quote 1
        • M
          M0L50N @viragomann
          last edited by

          @viragomann

          Thanks for your answer.

          If I well understand, the server is only usefull to create users, right? no validation during login? these validation are made with the CA right?

          What will be your advice : Delete the actual server and recreate a new one with exactly same name? or let the actual server there and create a new one I will assign to proper CA?

          I really thank you in advance!

          By the way, I wouldn't want to abuse your knowledge, but If you just have a cue for me about the best way to add 2FA to my OpenVPN server, it would be really appreciate! :P

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @M0L50N
            last edited by

            @m0l50n said in Server Certificate will expire:

            If I well understand, the server is only usefull to create users, right? no validation during login? these validation are made with the CA right?

            Both users and server certificates are created from the CA.
            When the clients connect, they may check if the server certificate fits to the CA (they have the CAs public cert).
            The server on its part checks if the client certs fit to the CA.

            What will be your advice : Delete the actual server and recreate a new one with exactly same name? or let the actual server there and create a new one I will assign to proper CA?

            In System >Certificate Manager >Certificates look for the expiring server certificate. On the right side under Actions you should find a renew symbol. Just try ticking it and go forward. That might be the easiest way.
            I never need to use it myself till now.

            Otherwise you should create a new one and assign it to the server at first. So that the old one is released. You cannot delete a cert which is in use.

            but If you just have a cue for me about the best way to add 2FA to my OpenVPN server,

            No, I cannot help here.

            1 Reply Last reply Reply Quote 2
            • M
              M0L50N
              last edited by

              I confirm your solution is so simple and working very well.

              I just renew the server certificate, client reconnecte to the server instance and continue to work like before.

              Thanks again!

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.