From 1bd21d8e468ed047dbfd40b1183c60071f0edbac Mon Sep 17 00:00:00 2001 From: Matteo Di Lorenzi Date: Tue, 10 Feb 2026 09:11:44 +0100 Subject: [PATCH 1/4] feat(certificates): add management instructions for certificate expiration in OpenVPN documentation --- openvpn_roadwarrior.rst | 99 +++++++++++++++++++++++++++++++++++++ openvpn_tunnels.rst | 106 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 204 insertions(+), 1 deletion(-) diff --git a/openvpn_roadwarrior.rst b/openvpn_roadwarrior.rst index c941ab13..e491afc8 100644 --- a/openvpn_roadwarrior.rst +++ b/openvpn_roadwarrior.rst @@ -172,6 +172,105 @@ All major platforms are supported. Here are some references to download the nece * iOS Systems: `OpenVPN Connect on App Store `_ +Managing certificate expiration +-------------------------------- + +An OpenVPN Road Warrior instance uses TLS certificates for authentication. To avoid connectivity issues, it is crucial to monitor the expiration dates of the certificates used across the entire infrastructure. + +When a new OpenVPN Road Warrior server is created, the system generates a new ``PKI (Public Key Infrastructure)``, which is composed of: + +* a **CA** (**Certificate Authority**) certificate +* a **server** certificate + +Client certificates are generated for each user in the database selected during the server setup. + +Each of these elements (client, server, and CA) has its own certificate with a specific expiration date, and all of them must be valid to avoid connectivity issues. + +You can check the expiration date of each certificate in the **OpenVPN Road Warrior** section. Here you can find the expiration dates of the CA and server certificates (which belong to the OpenVPN instance) and the expiration date of each client certificate (which belongs to the user accounts created for that instance) in the dedicated table below. +An alert icon is shown if the certificate will expire in less than 30 days. + +By default, all certificates are generated with a validity of 3650 days (10 years). + +A connection between the OpenVPN Road Warrior server and its clients will be interrupted when at least one certificate expires, so it is important to monitor expiration dates and renew certificates before they expire. +In particular, these are the possible scenarios: + +* the CA certificate has expired +* the server certificate has expired +* the client certificate has expired + +To check whether your OpenVPN Road Warrior connection is disconnected due to certificate expiration, you can inspect your client logs and search for OpenVPN-related messages. + +Example (Ubuntu client): + +.. code-block:: bash + + cat /var/log/syslog | grep 'VERIFY ERROR:' + +If the search returns messages like the following: + +.. code-block:: bash + + Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=1, error=certificate has expired: CN=NethSec, serial={serial_number} + Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=0, error=certificate has expired: CN=server, serial={serial_number} + +it means that the connection is not working due to certificate expiration. The issue may be related to the CA certificate (``depth=1``), the server certificate (``depth=0``), or both. + +You can check the validity of the client, server, and CA certificates using the following commands on the server firewall terminal: + +.. code-block:: bash + + # client + openssl x509 -in /etc/openvpn/{vpn-instance}/pki/issued/{username}.crt -text -noout | grep 'Not After' + # server + openssl x509 -in /etc/openvpn/{vpn-instance}/pki/issued/server.crt -text -noout | grep 'Not After' + # CA + openssl x509 -in /etc/openvpn/{vpn-instance}/pki/ca.crt -noout -dates -subject -issuer -serial + +The ``{vpn-instance}`` placeholder must be replaced with the name of your OpenVPN instance (e.g. ``ns_roadwarrior1``). + +Below are the steps to renew certificates in each scenario and restore the connection. + + +Client certificate expired +^^^^^^^^^^^^^^^^^^^^^^^^^^ +In this scenario, the client certificate must be regenerated using the :guilabel:`Regenerate certificate` option on the server side (as mentioned above). Then, the new client configuration/certificate must be downloaded and imported on the client side. + + +Server certificate expired +^^^^^^^^^^^^^^^^^^^^^^^^^^ +In this scenario, the server certificate must be renewed on the server side. + +1. Access the server firewall terminal and execute the following commands: + +.. code-block:: bash + + EASYRSA_BATCH=1 EASYRSA_PKI=/etc/openvpn/{vpn-instance}/pki easyrsa revoke server + EASYRSA_BATCH=1 EASYRSA_PKI=/etc/openvpn/{vpn-instance}/pki EASYRSA_CERT_EXPIRE=3650 easyrsa build-server-full server nopass + /etc/init.d/openvpn restart + +These operations will revoke the existing server certificate, create a new one without affecting the CA certificate, and then restart the *openvpn* service to apply the changes. +In this scenario, if the client certificates are still valid, you can continue using the existing client configuration. + + +CA certificate expired +^^^^^^^^^^^^^^^^^^^^^^ +In this scenario, certificate regeneration is not possible because the CA certificate is the one that signs both the server and client certificates. Therefore, a completely new PKI must be generated. +To generate a new PKI, proceed as follows: + +1. Access the server firewall terminal. +2. Execute the following commands: + +.. code-block:: bash + + ns-openvpn-renew-ca {vpn-instance} + service openvpn restart + +These commands will generate a new CA certificate, as well as new server and client certificates signed by the new CA. +In this scenario, it is **mandatory** to download and import the new client configuration on the client side to restore the connection, so make sure to do it as soon as possible to minimize downtime. + +.. warning:: When the CA certificate has expired, the only way to restore the connection is to generate a new PKI and import the new client configuration on the client side. If the client and server certificates are still valid (for example, you regenerated the client certificate using the :guilabel:`Regenerate certificate` option and renewed the server certificate using the commands above) but the CA certificate has expired, the connection will not be restored until a new CA certificate is generated and the new client configuration is imported on the client side. Therefore, if your client can no longer connect to the server due to certificate expiration, make sure to check which certificate has expired and follow the correct procedure to restore the connection. + + MTU Issue and Packet Fragmentation ---------------------------------- diff --git a/openvpn_tunnels.rst b/openvpn_tunnels.rst index 5dcaefaf..f209aad6 100644 --- a/openvpn_tunnels.rst +++ b/openvpn_tunnels.rst @@ -81,4 +81,108 @@ Add the following option to the Roadwarrior server configuration:: uci commit openvpn.ns_ /etc/init.d/openvpn restart ns_ -The `tun_mtu` value may need to be adjusted based on your specific network environment. A lower MTU ensures that packets fit within the limits of the OpenVPN tunnel without fragmentation. Depending on factors like network latency or overhead, you might find that slightly different values work better for your setup. \ No newline at end of file +The `tun_mtu` value may need to be adjusted based on your specific network environment. A lower MTU ensures that packets fit within the limits of the OpenVPN tunnel without fragmentation. Depending on factors like network latency or overhead, you might find that slightly different values work better for your setup. + + +Managing certificate expiration +-------------------------------- + +OpenVPN tunnels use TLS certificates for authentication. To avoid connectivity issues, it is crucial to monitor the expiration dates of the certificates used by your OpenVPN tunnels. + +When a new OpenVPN tunnel is created, the system generates a new ``PKI (Public Key Infrastructure)``, which is composed of: + +* a **CA** (**Certificate Authority**) certificate +* a **server** certificate +* a **client** certificate + +Each of these elements has its own certificate with a specific expiration date, and all of them must be valid to avoid connectivity issues. + +All information about certificate expiration dates can be found in the **OpenVPN Tunnels** table, where a magnifying-glass icon is shown for each tunnel. Clicking it opens a modal with all the details about the tunnel configuration, including the certificates and their expiration dates. + +On the **server** tunnel, the modal shows certificate information for the **CA**, **server**, and **client** certificates. +On the **client** side, it shows only the **CA** and **client** certificates. + +In the tunnel table, an alert icon is shown when at least one of these certificates will expire in less than 30 days. By opening the tunnel details modal, you can see which certificate is expiring and its expiration date. + +By default, all certificates are generated with a validity of 3650 days (10 years). + +A connection between the two firewalls will be interrupted when at least one certificate expires, so it is important to monitor expiration dates and renew certificates before they expire. +In particular, these are the possible scenarios: + +* the CA certificate has expired +* the server certificate has expired +* the client certificate has expired + +To check whether your OpenVPN tunnel is disconnected due to certificate expiration, you can inspect the firewall logs and search for OpenVPN-related messages: + +.. code-block:: bash + + cat /var/log/messages | grep 'VERIFY ERROR:' + +If the search returns messages like the following: + +.. code-block:: bash + + Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=1, error=certificate has expired: CN=NethSec, serial={serial_number} + Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=0, error=certificate has expired: CN=server, serial={serial_number} + +it means that the connection is not working due to certificate expiration. The issue may be related to the CA certificate (``depth=1``), the server certificate (``depth=0``), or both. + +You can check the validity of the CA and server certificates using the following commands on the server firewall terminal: + +.. code-block:: bash + + # client + openssl x509 -in /etc/openvpn/{vpn-instance}/pki/issued/client.crt -text -noout | grep 'Not After' + # server + openssl x509 -in /etc/openvpn/{vpn-instance}/pki/issued/server.crt -text -noout | grep 'Not After' + # CA + openssl x509 -in /etc/openvpn/{vpn-instance}/pki/ca.crt -noout -dates -subject -issuer -serial + +The *{vpn-instance}* placeholder must be replaced with the name of your OpenVPN instance (e.g. ``ns_roadwarrior1``). + +Below are the steps to renew certificates in each scenario and restore the connection. + + +Client certificate expired +^^^^^^^^^^^^^^^^^^^^^^^^^^ +In this scenario, the client certificate must be renewed on the server side and then downloaded and imported again on the client side. + +1. Access the server firewall and navigate to the **OpenVPN tunnels** section. +2. Click the :guilabel:`︙` menu on the right of the tunnel and select :guilabel:`Regenerate certificates`. +3. Download the new client certificate and import it on the client side. + +These operations will create new server and client certificates without affecting the CA certificate (which is assumed to be still valid in this case). +In this scenario, using the new client certificate on the client firewall is **mandatory** to restore the connection, so make sure to download and import it on the client side as soon as possible to minimize downtime. + + +Server certificate expired +^^^^^^^^^^^^^^^^^^^^^^^^^^ +In this scenario, the server certificate must be renewed on the server side. + +1. Access the server firewall and navigate to the **OpenVPN tunnels** section. +2. Click the :guilabel:`︙` menu on the right of the tunnel and select :guilabel:`Regenerate certificates`. + +These operations will create new server and client certificates without affecting the CA certificate (which is assumed to be still valid in this case). +In this scenario, if the client certificate is still valid, the connection will be restored automatically after the OpenVPN service is restarted (this restart is performed automatically). You can continue using the existing client certificate and download/import the newly generated one later. The new client certificate will expire on the same day as the new server certificate. + + +CA certificate expired +^^^^^^^^^^^^^^^^^^^^^^ +In this scenario, certificate regeneration is not possible because the CA certificate is the one that signs both the server and client certificates. Therefore, a completely new PKI must be generated. +To generate a new PKI, proceed as follows: + +1. Access the server firewall terminal. +2. Execute the following commands: + +.. code-block:: bash + + ns-openvpn-renew-ca {vpn-instance} + service openvpn restart + +These commands will generate a new CA certificate, as well as new server and client certificates signed by the new CA. +Also in this scenario, it is **mandatory** to download and import the new client certificate on the client side to restore the connection, so make sure to do it as soon as possible to minimize downtime. +The new certificates (**CA**, **server**, and **client**) will expire on the same day. + + +.. warning:: When the CA certificate has expired, the only way to restore the connection is to generate a new PKI and import the new client certificate on the client side. If the client and server certificates are valid (for example, you regenerated them using the :guilabel:`Regenerate certificates` option) but the CA certificate has expired, the connection will not be restored until a new CA certificate is generated and the new client certificate is imported on the client side. Therefore, if you see that your connection is not working due to certificate expiration, make sure to check which certificate has expired and follow the correct procedure to restore the connection. \ No newline at end of file From 3fbff6c917669888861129974385e50d242c72dd Mon Sep 17 00:00:00 2001 From: Matteo Di Lorenzi Date: Tue, 10 Feb 2026 12:55:54 +0100 Subject: [PATCH 2/4] feat(certificates): refactor OpenVPN certificate expiration management to avoid duplication --- openvpn_roadwarrior.rst | 13 ++++--- openvpn_tunnels.rst | 79 +++++++---------------------------------- 2 files changed, 20 insertions(+), 72 deletions(-) diff --git a/openvpn_roadwarrior.rst b/openvpn_roadwarrior.rst index e491afc8..e3950bd1 100644 --- a/openvpn_roadwarrior.rst +++ b/openvpn_roadwarrior.rst @@ -172,6 +172,8 @@ All major platforms are supported. Here are some references to download the nece * iOS Systems: `OpenVPN Connect on App Store `_ +.. _managing-openvpn-certificate-expiration: + Managing certificate expiration -------------------------------- @@ -182,7 +184,7 @@ When a new OpenVPN Road Warrior server is created, the system generates a new `` * a **CA** (**Certificate Authority**) certificate * a **server** certificate -Client certificates are generated for each user in the database selected during the server setup. +Client certificates are generated for each user in the database selected during the server setup or when a user is added later. Each of these elements (client, server, and CA) has its own certificate with a specific expiration date, and all of them must be valid to avoid connectivity issues. @@ -204,18 +206,18 @@ Example (Ubuntu client): .. code-block:: bash - cat /var/log/syslog | grep 'VERIFY ERROR:' + grep 'VERIFY ERROR:' /var/log/messages -If the search returns messages like the following: +The search returns messages like the following: .. code-block:: bash Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=1, error=certificate has expired: CN=NethSec, serial={serial_number} Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=0, error=certificate has expired: CN=server, serial={serial_number} -it means that the connection is not working due to certificate expiration. The issue may be related to the CA certificate (``depth=1``), the server certificate (``depth=0``), or both. +Those lines mean that the connection is not working due to certificate expiration. The issue may be related to the CA certificate (``depth=1``), the server certificate (``depth=0``), or both. -You can check the validity of the client, server, and CA certificates using the following commands on the server firewall terminal: +You can check the validity of the clients, server, and CA certificates using the following commands on the server firewall terminal: .. code-block:: bash @@ -251,6 +253,7 @@ In this scenario, the server certificate must be renewed on the server side. These operations will revoke the existing server certificate, create a new one without affecting the CA certificate, and then restart the *openvpn* service to apply the changes. In this scenario, if the client certificates are still valid, you can continue using the existing client configuration. +.. _managing-openvpn-certificate-expiration-CA: CA certificate expired ^^^^^^^^^^^^^^^^^^^^^^ diff --git a/openvpn_tunnels.rst b/openvpn_tunnels.rst index f209aad6..d6e3b4fc 100644 --- a/openvpn_tunnels.rst +++ b/openvpn_tunnels.rst @@ -87,63 +87,27 @@ The `tun_mtu` value may need to be adjusted based on your specific network envir Managing certificate expiration -------------------------------- -OpenVPN tunnels use TLS certificates for authentication. To avoid connectivity issues, it is crucial to monitor the expiration dates of the certificates used by your OpenVPN tunnels. +As mentioned in the :ref:`managing-openvpn-certificate-expiration` section, OpenVPN tunnels are also based on certificates, and it is crucial to monitor their expiration dates to avoid connectivity issues. -When a new OpenVPN tunnel is created, the system generates a new ``PKI (Public Key Infrastructure)``, which is composed of: - -* a **CA** (**Certificate Authority**) certificate -* a **server** certificate -* a **client** certificate - -Each of these elements has its own certificate with a specific expiration date, and all of them must be valid to avoid connectivity issues. +When a new OpenVPN tunnel is created, the system generates a new ``PKI (Public Key Infrastructure)``, which is composed of the **CA**, **server**, and a **single client certificate** (unlike Road Warrior connections, which have one certificate per user). All information about certificate expiration dates can be found in the **OpenVPN Tunnels** table, where a magnifying-glass icon is shown for each tunnel. Clicking it opens a modal with all the details about the tunnel configuration, including the certificates and their expiration dates. -On the **server** tunnel, the modal shows certificate information for the **CA**, **server**, and **client** certificates. -On the **client** side, it shows only the **CA** and **client** certificates. +On the **server side**, the modal shows certificate information for the CA, server, and client certificates. +On the **client side**, it shows only the CA and client certificates. In the tunnel table, an alert icon is shown when at least one of these certificates will expire in less than 30 days. By opening the tunnel details modal, you can see which certificate is expiring and its expiration date. By default, all certificates are generated with a validity of 3650 days (10 years). -A connection between the two firewalls will be interrupted when at least one certificate expires, so it is important to monitor expiration dates and renew certificates before they expire. -In particular, these are the possible scenarios: - -* the CA certificate has expired -* the server certificate has expired -* the client certificate has expired - -To check whether your OpenVPN tunnel is disconnected due to certificate expiration, you can inspect the firewall logs and search for OpenVPN-related messages: - -.. code-block:: bash - - cat /var/log/messages | grep 'VERIFY ERROR:' - -If the search returns messages like the following: - -.. code-block:: bash - - Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=1, error=certificate has expired: CN=NethSec, serial={serial_number} - Feb 9 13:02:07 NethSec openvpn(ns_ctunnel_1)[8031]: VERIFY ERROR: depth=0, error=certificate has expired: CN=server, serial={serial_number} - -it means that the connection is not working due to certificate expiration. The issue may be related to the CA certificate (``depth=1``), the server certificate (``depth=0``), or both. - -You can check the validity of the CA and server certificates using the following commands on the server firewall terminal: - -.. code-block:: bash +A connection between the two firewalls will be interrupted when at least one certificate expires, according to the three possible scenarios described in the OpenVPN Road Warrior section. - # client - openssl x509 -in /etc/openvpn/{vpn-instance}/pki/issued/client.crt -text -noout | grep 'Not After' - # server - openssl x509 -in /etc/openvpn/{vpn-instance}/pki/issued/server.crt -text -noout | grep 'Not After' - # CA - openssl x509 -in /etc/openvpn/{vpn-instance}/pki/ca.crt -noout -dates -subject -issuer -serial +To check whether your OpenVPN tunnel is disconnected due to certificate expiration, you can inspect the **firewall logs** and search for OpenVPN-related messages, located in the ``/var/log/messages`` file. -The *{vpn-instance}* placeholder must be replaced with the name of your OpenVPN instance (e.g. ``ns_roadwarrior1``). +To check the validity of the certificates, you can use the same ``openssl`` commands as for Road Warrior connections, with the difference that there is only one client certificate, called **client.crt**. Below are the steps to renew certificates in each scenario and restore the connection. - Client certificate expired ^^^^^^^^^^^^^^^^^^^^^^^^^^ In this scenario, the client certificate must be renewed on the server side and then downloaded and imported again on the client side. @@ -158,31 +122,12 @@ In this scenario, using the new client certificate on the client firewall is **m Server certificate expired ^^^^^^^^^^^^^^^^^^^^^^^^^^ -In this scenario, the server certificate must be renewed on the server side. - -1. Access the server firewall and navigate to the **OpenVPN tunnels** section. -2. Click the :guilabel:`︙` menu on the right of the tunnel and select :guilabel:`Regenerate certificates`. - -These operations will create new server and client certificates without affecting the CA certificate (which is assumed to be still valid in this case). -In this scenario, if the client certificate is still valid, the connection will be restored automatically after the OpenVPN service is restarted (this restart is performed automatically). You can continue using the existing client certificate and download/import the newly generated one later. The new client certificate will expire on the same day as the new server certificate. - +In this scenario, the server certificate must be renewed on the server side. +Use the same :guilabel:`Regenerate certificates` action described in the previous scenario. action described in the previous scenario. However, if the client certificate is still valid, the connection will be restored automatically after the OpenVPN service is restarted (the restart is performed automatically). You can continue using the existing client certificate and download/import the newly generated one later. The new client certificate will expire on the same day as the new server certificate. CA certificate expired ^^^^^^^^^^^^^^^^^^^^^^ -In this scenario, certificate regeneration is not possible because the CA certificate is the one that signs both the server and client certificates. Therefore, a completely new PKI must be generated. -To generate a new PKI, proceed as follows: - -1. Access the server firewall terminal. -2. Execute the following commands: - -.. code-block:: bash - - ns-openvpn-renew-ca {vpn-instance} - service openvpn restart - -These commands will generate a new CA certificate, as well as new server and client certificates signed by the new CA. -Also in this scenario, it is **mandatory** to download and import the new client certificate on the client side to restore the connection, so make sure to do it as soon as possible to minimize downtime. -The new certificates (**CA**, **server**, and **client**) will expire on the same day. - +In this scenario, you've to proceed with the generation of a completely new PKI. Follow the steps described on the :ref:`managing-openvpn-certificate-expiration-CA` section. +In this scenario, you will have to download and import the new client certificate on the client side to restore the connection. -.. warning:: When the CA certificate has expired, the only way to restore the connection is to generate a new PKI and import the new client certificate on the client side. If the client and server certificates are valid (for example, you regenerated them using the :guilabel:`Regenerate certificates` option) but the CA certificate has expired, the connection will not be restored until a new CA certificate is generated and the new client certificate is imported on the client side. Therefore, if you see that your connection is not working due to certificate expiration, make sure to check which certificate has expired and follow the correct procedure to restore the connection. \ No newline at end of file +All considerations remain the same as for Road Warrior connections. If the expired certificate is the CA certificate, you have to generate a completely new PKI, while if the expired certificate is the server or client certificate, you can regenerate it using the dedicated action. \ No newline at end of file From 9b1ee9ea233c748658a9dcdec0a09265221cf9ca Mon Sep 17 00:00:00 2001 From: Matteo Di Lorenzi Date: Tue, 10 Feb 2026 14:20:27 +0100 Subject: [PATCH 3/4] fix(certificates): update wording for certificate validity to clarify connection requirements --- openvpn_roadwarrior.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn_roadwarrior.rst b/openvpn_roadwarrior.rst index e3950bd1..4249f038 100644 --- a/openvpn_roadwarrior.rst +++ b/openvpn_roadwarrior.rst @@ -186,7 +186,7 @@ When a new OpenVPN Road Warrior server is created, the system generates a new `` Client certificates are generated for each user in the database selected during the server setup or when a user is added later. -Each of these elements (client, server, and CA) has its own certificate with a specific expiration date, and all of them must be valid to avoid connectivity issues. +Each of these elements (client, server, and CA) has its own certificate with a specific expiration date, and all of them must be valid to allow connection. You can check the expiration date of each certificate in the **OpenVPN Road Warrior** section. Here you can find the expiration dates of the CA and server certificates (which belong to the OpenVPN instance) and the expiration date of each client certificate (which belongs to the user accounts created for that instance) in the dedicated table below. An alert icon is shown if the certificate will expire in less than 30 days. From aacfa978286fb4687e9efd6efa92d0e912fe9568 Mon Sep 17 00:00:00 2001 From: Matteo Di Lorenzi Date: Tue, 10 Feb 2026 15:26:05 +0100 Subject: [PATCH 4/4] fix(certificates): update wording for CA expired section in OpenVPN Tunnels --- openvpn_tunnels.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn_tunnels.rst b/openvpn_tunnels.rst index d6e3b4fc..b457f300 100644 --- a/openvpn_tunnels.rst +++ b/openvpn_tunnels.rst @@ -128,6 +128,6 @@ Use the same :guilabel:`Regenerate certificates` action described in the previou CA certificate expired ^^^^^^^^^^^^^^^^^^^^^^ In this scenario, you've to proceed with the generation of a completely new PKI. Follow the steps described on the :ref:`managing-openvpn-certificate-expiration-CA` section. -In this scenario, you will have to download and import the new client certificate on the client side to restore the connection. +Then, you will have to download and import the new client certificate on the client side to restore the connection. -All considerations remain the same as for Road Warrior connections. If the expired certificate is the CA certificate, you have to generate a completely new PKI, while if the expired certificate is the server or client certificate, you can regenerate it using the dedicated action. \ No newline at end of file +All considerations remain the same as for Road Warrior connections. If the expired certificate is the CA certificate, you have to generate a completely new PKI, while if the expired certificate is the server or client one, you can regenerate it using the dedicated action. \ No newline at end of file