Skip to main content
These steps are typically performed by the OpenVPN Access Server Admin. See Underlying Responsibility Roles for more information.
This section explains how to create a new RSA 2048 or 4096 CA in the OpenVPN Access Server Admin Web UI and the CLI (sacli). These steps are performed by the Access Server Admin.
Admin ResponsibilityAs an Access Server Admin, you have the necessary permissions to:
  • Access the Admin Web UI (https://<HOSTNAME_OR_IP>:943/admin)
  • Generate and manage certificates stored in CryptoHub
End users do NOT have access to these admin-level functions.For the CLI method using sacli commands, see: Create an RSA CA in the OpenVPN Access Server

Admin Web UI Method

1
Log in to the OpenVPN Access Server Admin Web UI.Example: https://<HOSTNAME_OR_IP>:943/adminPort 943 is the default port for the OpenVPN Access Server Admin Web UI.
2
On the left-hand menu, navigate to Certificate Management > VPN Server Certificate Authority.
3
Click on the New CA Certificate button.
4
In the New CA Certificate menu:
  • Enter a Common Name (CN) for the CA.
  • Under Signing algorithm, select either RSA 2048 or RSA 4096.
  • Select [ Add new CA and Restart ].
5
You will see the message “Access Server Restarting” appear.
6
After the Access Server has finished restarting, verify that the newly created CA certificate has Current CA next to it.

Admin CLI Method (sacli)

1
Connect to your Access Server via SSH and get root privileges.
ssh your-access-server
sudo -i
2
Run the following command to create a new CA Certificate:
/usr/local/openvpn_as/scripts/sa --key_algorithm=rsa --keysize=2048 --newca_cn=Futurex_CA AddCAGeneration
ParameterValue
key_algorithmrsa
keysize2048 or 4096
newca_cnEnter your desired CA name (e.g., Futurex_CA)
Replace Futurex_CA with your preferred CA name. It is recommended to use a name that clearly identifies it as a CA certificate, making it easier for the OpenVPN Connect User to distinguish it from their client certificate.This command will also restart the Access Server services upon completion.
3
Run the following command to restart the Access Server service:
systemctl restart openvpnas
4
Verify the new CA was created successfully by listing existing CAs:
/usr/local/openvpn_as/scripts/sa ShowCAs
You should see your newly created CA in the output.