Description: With OpenVPN Access Server 2.9 and newer, you can use the sacli ShowCAs command to check the validity/expiration of the CA certificate (VPN certificates) on your Access Server, however, this is not possible in versions prior to 2.9.
The ShowCAs command is helpful if you're having VPN connection issues possibly caused by an expired certificate. With this command, you can check if your certificate is expired.
Resolution: If you can't use the ShowCAs command because you have an older Access Server version, you have two alternative ways to check if your CA certificate is expired.
Method 1:
You can check your CA certificate validity, or expiration date, by reviewing a client profile in the certs.db. With this method, you use the sqlite3 tool to query the certs database for a client profile, in which you can see the CA certificate information:
- Install the sqlite3 tool, if needed, by running the below command as a root user:
apt update && apt -y install sqlite3
- Next query the database with the below command, entering one of your valid usernames:
sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where username='USERNAME';"|openssl x509 -text -noout
- Review the output to determine if the CA certificate is still valid.
Below is an example output:
$ sqlite3 /usr/local/openvpn_as/etc/db/certs.db "select cert from certificates where username='USERNAME';"|openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = OpenVPN CA
Validity
Not Before: Mar 30 15:06:26 2022 GMT
Not After : Mar 28 15:06:26 2032 GMT
Subject: CN = USERNAME
The output provides you with helpful information, which includes the user for the client profile and the CA certificate information. Review the validity dates to determine if the CA certificate is expired:
Validity
Not Before: Mar 30 15:06:26 2022 GMT
Not After : Mar 28 15:06:26 2032 GMT
If your CA certificate is expired, the output is something like this:
Validity
Not Before: Oct 26 15:06:26 2012 GMT
Not After : Oct 31 15:06:26 2022 GMT
Method 2:
You can open a client profile and find the CA certificate information.
- Open a client profile file using a text editor.
<ca>
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
</ca> - Look for the below lines, as the lines between <ca> and </ca> is your CA certificate.
- Copy the content of the CA certificate between BEGIN CERTIFICATE and END CERTIFICATE.
- Use a certificate decoder to check its validity/expiration, such as https://www.sslshopper.com/certificate-decoder.html.
- The CA certificate validity/expiration displays:
If you need help interpreting the results, collect the above info and submit a ticket.
Comments
0 comments
Please sign in to leave a comment.