Menu
What's new
By:
Filters Better Search

Reissue OPENVPN certificates

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Luizlp10

Luizlp10

Regular Contributor
Hi. Is there a (safe)way to reissue certificates for my VPN server on a RT-AC86U, on Merlin 386.5_2, with a more secure signature? After I upgraded from Ubuntu 20.04 to 22.04 I have an Openssl error saying that my certificate is too weak and I am not able to connect to my VPN server from CLI or gnome app.

Thanks in advance.
 
There was a regression introduced w/ Merlin 386.1, where the certificates were issued using SHA1 for signing, when it should have been SHA256. It would cause these types of warning messages. But AFAIK, this was corrected by 386.4 and beyond.

However, what happened to some ppl is as they upgraded to 386.4 and beyond, they reused the old certificates rather than let the newer firmware generate new certificates based on SHA256. It wasn't a problem until newer software on other platforms updated as well and finally started rejecting SHA1.

The way to correct it, of course, is to let the router regenerate your certs.

You can verify the signing of your server certificates on the router w/ the following commands.

Code: 
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_client_crt

If all else fails, you can always manage and generate your own certs, keys, etc., using EasyRSA, then configure them as you please. In fact, some ppl do for other reasons (e.g., to get around the fact the router only generates *one* client certificate to be shared by all users).
 
Last edited:
Thanks for the detailed reply, it was really informative. I was wondering how can I force the router to regenerate new certificates in order to use SHA256 without having to install EasyRSA. SHould I remove the cuurent certificates?
 
I assume if you reset the OpenVPN server to defaults (see option at the bottom of that page), reconfigure, and delete any relevant files in /jffs/openvpn, it will force the router to regenerate.

P.S. I just tried it myself, seems it deletes the old certs and keys for you, you even get a warning message.
 
Last edited:
Amazing. Thank you. I will inform the results after I implement the changes.
 
Everything went just like you said. Thanks for your guidance.
 
You must log in or register to reply here.

Similar threads

Marty
RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig
Replies
6
Views
2K
Chinquapin
Chinquapin
D
ASUS RT-AX86U OpenVPN Server Error - Key Too Small
Replies
4
Views
201
Tech9
Tech9
Blankedy
AC86U OpenVPN server whilst in AP mode
Replies
3
Views
379
Blankedy
Blankedy
I
One OpenVPN server and two clients with certificates
Replies
0
Views
533
Igor
I
R
VPN server: run on RT-AC68U or RPi 3?
Replies
19
Views
880
robca
R
Similar threads
Thread starter Title Forum Replies Date
Marty RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig ASUS Wireless 6
WhoYaGonnaCall OpenVPN Performance vs router models ASUS Wireless 2
S Configure ASUS OpenVPN server to allow client-client access ASUS Wireless 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 986 (members: 43, guests: 943)
Top