DigitalOcean

Report this

What is the reason for this report?
Question

openvpn server.crt has expired

Posted on January 25, 2026
VPN
tecnico genny

By tecnico genny

I have a server OPENVPN on Ubuntu 18 installed as your guide and my server.crt is now expired can you help me to renove it…? thanks



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
January 27, 2026

Hi there,

First, I would recommend confirming what actually expired, because OpenVPN setups often hit either the server cert or the CRL:

  • Check server cert expiry: openssl x509 -in /etc/openvpn/server.crt -noout -dates

  • Check CRL expiry (if you use crl-verify in the config): openssl crl -in /etc/openvpn/crl.pem -noout -nextupdate

If it is the server certificate, you generally need to issue a new server cert from the same CA. Depending on your Easy-RSA version, that is either a renew command (if supported) or re-issuing a fresh server.crt and server.key, then restarting OpenVPN.

If the CA itself is expired, you are usually looking at reissuing server and client certs.

Check out the DigitalOcean guide for the Ubuntu 18.04 setup: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04

0
alexdo
alexdo
January 28, 2026

Heya, @tecnicogenny

If you used Easy-RSA on the server, go to your Easy-RSA directory and run:

cd /etc/openvpn/easy-rsa
sudo ./easyrsa renew server

If renew is not available, you can re-create it (still safe if signed by the same CA):

sudo ./easyrsa build-server-full server nopass

Then copy the new certificate and restart OpenVPN:

sudo cp pki/issued/server.crt /etc/openvpn/server.crt
sudo cp pki/private/server.key /etc/openvpn/server.key
sudo systemctl restart openvpn@server

Clients do not need changes as long as the CA is the same.

If you don’t have the CA/Easy-RSA files on this server, tell me and I’ll explain how to regenerate it from the CA machine.

Regards

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.