Renew your server certificate for AWS Client VPN

You can renew and re-import a Client VPN server certificate that has expired. Depending on the version of OpenVPN easy-rsa that you're using, the procedure will vary. See Easy-RSA 3 Certificate Renewal and Revocation Documentation for more details.

To renew your server certificate

Do one of the following:
- Easy-RSA version 3.1.x
  1. Run the certificate renew command.
```
$ ./easyrsa renew server nopass
```
- Easy-RSA version 3.2.x
  1. Run the expire command.
```
$ ./easyrsa expire server
```
  2. Sign a new certificate.
```
$ ./easyrsa --san=DNS:server sign-req server server
```

Create a custom folder, copy the new files to it, then navigate into the folder.


$ mkdir ~/custom_folder2
$ cp pki/ca.crt ~/custom_folder2/
$ cp pki/issued/server.crt ~/custom_folder2/
$ cp pki/private/server.key ~/custom_folder2/
$ cd ~/custom_folder2/

Import the new files to ACM. Be sure to import them in the same Region as the Client VPN endpoint.


$ aws acm import-certificate \
    --certificate fileb://server.crt \
    --private-key fileb://server.key \
    --certificate-chain fileb://ca.crt \
    --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enable mutual authentication

Single sign-on (SAML 2.0-based federated authentication)