You can renew and re-import a Client VPN server certificate that has expired. Depending on the
version of OpenVPN easy-rsa that you're using, the procedure will vary. See Easy-RSA 3 Certificate Renewal and Revocation Documentation
To renew your server certificate
-
Do one of the following:
-
Easy-RSA version 3.1.x
-
Run the certificate renew command.
$./easyrsa renew server nopass
-
-
Easy-RSA version 3.2.x
-
Run the expire command.
$./easyrsa expire server -
Sign a new certificate.
$./easyrsa --san=DNS:server sign-req server server
-
-
-
Create a custom folder, copy the new files to it, then navigate into the folder.
$mkdir ~/custom_folder2$cp pki/ca.crt ~/custom_folder2/$cp pki/issued/server.crt ~/custom_folder2/$cp pki/private/server.key ~/custom_folder2/$cd ~/custom_folder2/ -
Import the new files to ACM. Be sure to import them in the same Region as the Client VPN endpoint.
$aws acm import-certificate \ --certificate fileb://server.crt \ --private-key fileb://server.key \ --certificate-chain fileb://ca.crt \ --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901
