What's new
By:

Reissue OPENVPN certificates

Luizlp10

Luizlp10

Regular Contributor
Hi. Is there a (safe)way to reissue certificates for my VPN server on a RT-AC86U, on Merlin 386.5_2, with a more secure signature? After I upgraded from Ubuntu 20.04 to 22.04 I have an Openssl error saying that my certificate is too weak and I am not able to connect to my VPN server from CLI or gnome app.

Thanks in advance.
 
There was a regression introduced w/ Merlin 386.1, where the certificates were issued using SHA1 for signing, when it should have been SHA256. It would cause these types of warning messages. But AFAIK, this was corrected by 386.4 and beyond.

However, what happened to some ppl is as they upgraded to 386.4 and beyond, they reused the old certificates rather than let the newer firmware generate new certificates based on SHA256. It wasn't a problem until newer software on other platforms updated as well and finally started rejecting SHA1.

The way to correct it, of course, is to let the router regenerate your certs.

You can verify the signing of your server certificates on the router w/ the following commands.

Code: 
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_ca
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_crt
openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server2_client_crt

If all else fails, you can always manage and generate your own certs, keys, etc., using EasyRSA, then configure them as you please. In fact, some ppl do for other reasons (e.g., to get around the fact the router only generates *one* client certificate to be shared by all users).
 
Last edited:
Thanks for the detailed reply, it was really informative. I was wondering how can I force the router to regenerate new certificates in order to use SHA256 without having to install EasyRSA. SHould I remove the cuurent certificates?
 
I assume if you reset the OpenVPN server to defaults (see option at the bottom of that page), reconfigure, and delete any relevant files in /jffs/openvpn, it will force the router to regenerate.

P.S. I just tried it myself, seems it deletes the old certs and keys for you, you even get a warning message.
 
Last edited:
Amazing. Thank you. I will inform the results after I implement the changes.
 
Everything went just like you said. Thanks for your guidance.
 
You must log in or register to reply here.

Similar threads

R
OpenVPN vs Wireguard
Replies
5
Views
3K
Rob1985
R
Harry Azcrac
ASUS Merlin on RT-AC86U OpenVPN Server not blocking IP when a client connects
Replies
2
Views
1K
Harry Azcrac
Harry Azcrac
Z
Sudden VPN client issues with RX-AX82U
Replies
5
Views
767
eibgrad
eibgrad
B
How to migrate RT-AC86U to RT-AX86U-PRO?
2
Replies
33
Views
3K
BosseSwede
B
Netbug
Solved VPN not connecting on new RT-BE92U
Replies
4
Views
2K
Netbug
Netbug
Similar threads
Thread starter Title Forum Replies Date
N Asus OpenVPN tunnel - Server LAN cannot access client Asus Router Gui. ASUS Wi-Fi 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 2,422 (members: 25, guests: 2,397)
Back
Top