CA certificate expired on openvpn

I have a problem with CA certificate on openvpn, it has expired and clients cannot connect. I tried to create a new certificate with the ca.key, but it did not work.

Here is the command I used to create the new certificate: openssl x509 -in ca.crt -days 3650 -out ca_new.crt -signkey ca.key

After that I changed the openvpn file configuration to indicate that the new certificate is ca_new.crt.

Here is my config file:

port 1194 
proto udp 
dev tun client-to-client 
ca easy-rsa/keys/ca_new.crt 
cert easy-rsa/keys/server.crt 
key easy-rsa/keys/server.key 
#crl-verify easy-rsa/keys/crl.pem 
dh easy-rsa/keys/dh1024.pem 
server 10.0.0.0 255.255.0.0 
ifconfig-pool-persist ipp.txt 
client-config-dir ccd 
keepalive 10 120 
#tls-auth easy-rsa/keys/ta.key 0 
#cipher DES-EDE3-CBC comp-lzo 
max-clients 16129 
user nobody 
group nobody 
persist-key 
persist-tun 
status status.log 
verb 3 
tun-mtu 1500 
mssfix 1392

When I check the new certificate using this command openssl verify -CAfile ca_new.crt server.crt, I get this message,

server.crt: /C=FR/ST=Nord/L=Annoeullin/O=CALEO-CTC/CN=server/[email protected] error 10 at 0 depth lookup:certificate has expired OK

this is the status.log file :

OpenVPN CLIENT LIST
Updated,Wed Sep  2 14:38:32 2015
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
UNDEF,193.248.149.52:48211,343,3344,Wed Sep  2 14:38:21 2015
UNDEF,193.50.22.130:33870,341,4712,Wed Sep  2 14:38:16 2015
UNDEF,193.252.209.244:38024,343,7448,Wed Sep  2 14:38:04 2015
UNDEF,82.127.230.103:55210,343,7904,Wed Sep  2 14:38:01 2015
UNDEF,193.50.22.130:54559,341,12920,Wed Sep  2 14:37:35 2015
UNDEF,194.206.44.228:28159,343,4712,Wed Sep  2 14:38:16 2015
UNDEF,92.155.150.105:35158,343,1976,Wed Sep  2 14:38:29 2015
UNDEF,213.30.150.186:50232,343,3800,Wed Sep  2 14:38:21 2015
......................
......................
......................
UNDEF,80.13.217.56:51206,342,5624,Wed Sep  2 14:38:12 2015
UNDEF,194.206.44.228:29930,343,3344,Wed Sep  2 14:38:22 2015
UNDEF,92.155.150.105:45657,343,2888,Wed Sep  2 14:38:23 2015
UNDEF,92.147.131.148:50109,343,9272,Wed Sep  2 14:37:53 2015
UNDEF,109.6.229.178:59124,343,12920,Wed Sep  2 14:37:39 2015
UNDEF,194.206.44.228:32420,343,13376,Wed Sep  2 14:37:34 2015
UNDEF,109.6.229.178:35403,343,2432,Wed Sep  2 14:38:26 2015
UNDEF,82.127.230.103:58576,343,12920,Wed Sep  2 14:37:39 2015
UNDEF,185.39.170.34:20415,343,7904,Wed Sep  2 14:38:02 2015
UNDEF,185.39.170.34:20407,343,11096,Wed Sep  2 14:37:46 2015
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
GLOBAL STATS
Max bcast/mcast queue length,0
END

on clients computers there is 4 files :

- client.crt
- client.key
- ca.crt
- config.ovpn

How can I further troubleshoot the issue to figure out the problem? What is the problem?

thanks for your answer, i built a new key and certificate server. my goal is to not change anything on client computer. Is that possible without distributing de new CA cert ?

@abdel If the old CA cert hasn't expired (and assuming the new server cert is issued using either the old CA cert or a new CA cert that has the same key, Subject=Issuer for CA, and serial, which your x509 -signkey would) then your new server cert will work for a client that has/keeps the old CA cert.

thanks for your answer, but what will happens if the old CA cert has expired ? clients can't connect until i change the old CA with the new one ?

If a CA cert has expired, it is no longer valid and a client using it won't trust the cert(s) issued and verified under it, so yes you will need to distribute and install a new CA cert. That's the main reason a CA cert usually has a long validity period, and the CA must keep its privatekey secure for that longer time.