Documentation

Server 3.x

CA#

The VPN server uses a self-signed X.509 CA that is used with OpenVPN. It issues OpenVPN client and server certificates.

Next to this, the CA is used for potentially limiting the validity of issued VPN client configurations and OAuth API authorizations as used by the eduVPN and Let’s Connect! applications. The reason for this is that we never want to issue certificates, or API authorizations that outlive the CA.

Having the VPN configurations bound to the CA expiry of course only makes sense when using OpenVPN. If your server is only using WireGuard, this would not be necessary. However, in the current server release (3.x) this is how it was done from the start, and it is hard to get rid of it now without creating special cases and exceptions. So even if you use only WireGuard, you’ll have to keep an eye on your CA.

Check CA Expiry#

If you installed the VPN server with vpn-user-portal >= 3.9.16 the default lifetime of the CA is 25 years. If you installed it before then, it will be 10 years.

$ sudo openssl x509 -in /etc/vpn-user-portal/keys/ca/ca.crt -noout -enddate
notAfter=Oct 15 12:07:39 2034 GMT

Regenerate the CA#

If your CA is about to expire, or you simply want to regenerate it and set an expiry further into the future, you can regenerate the CA.

NOTE: if you are using OpenVPN, your VPN clients MUST obtain a new OpenVPN configuration. When using the official VPN clients this means the user MUST manually disconnect/connect, or fully restart the client! When the user downloaded a VPN configuration through the portal, they MUST do this again!

The easiest is to simply remove the CA key and certificate and regenerate it as shown below. If you do not want to use the default expiry lifetime of 10 years, or 25 years when using vpn-user-portal >= 3.9.16, you can set the caExpiry configuration option in /etc/vpn-user-portal/config.php. As example example, if you want to set it to expire in 33 years, you use this:

'caExpiry' => 'P33Y',

Now delete the existing CA, and have it regenerated:

$ sudo rm /etc/vpn-user-portal/keys/ca/ca.{crt,key}
$ sudo /usr/libexec/vpn-user-portal/generate-secrets

If you are using OpenVPN, you MUST also “apply changes” on your server, and/or on your node(s), this makes sure that the OpenVPN server processes obtain a new server certificate, and that the processes are properly restarted:

$ sudo vpn-maint-apply-changes

Last Modified: 2025-07-10

Source | History