How can I regenerate the sslvpn-full-default-authority?

Applicable products

SNS appliances

Description

This article gives you the procedure allowing the regeneration of the sslvpn-full-default-authority.

If you use default certificates for SSL VPN feature and use it in "Site mode" or use it with OpenVPN Client, you MUST download again the SSL VPN client configuration.

Procedure

  1. Delete the ~/ConfigFiles/Certificates/sslvpn-full-default-authority folder: 
    rm -rf ~/ConfigFiles/Certificates/sslvpn-full-default-authority
  2. Remove the CA index if present: 
    sed -i.old '/[0-9]=sslvpn-full-default-authority/d' ~/ConfigFiles/Certificates/pki.conf
  3. [Optional] If your configuration has been migrated from an older version, a setting may be present in pki.conf that specifies SHA-1 for the CA's signature algorithm. This can lead to errors on newer Openvpn client versions, such as ca md too weak on the client, and SHA-1 will be deprecated on SNS v5 as well. This can be fixed with the following commands: 
    setconf ~/ConfigFiles/Certificates/pki.conf ca digest sha256
    setconf ~/ConfigFiles/Certificates/pki.conf user_req digest sha256
    setconf ~/ConfigFiles/Certificates/pki.conf server_req digest sha256
  4. Execute the following commands: 
    sslinit
    enopenvpn
    nrestart openvpn; nrestart openvpn_udp; nrestart monitord