CA Certificate Rotation of UserVPN

Overview

Aviatrix UserVPN uses a Certificate Authority (CA) to issue and manage the client and server certificates required for secure VPN authentication. When the Controller is first initialized, it creates a self-signed RSA CA with a 10-year validity period.

You should rotate this CA before it expires or whenever re-keying is required.

CA Rotation

CA rotation replaces the existing CA certificate and private key with new ones. Rotation includes re-keying, issuing a new CA certificate, and re-issuing UserVPN client and server certificates under the new CA.

This guide describes two UserVPN certificate lifecycle operations workflows: Simple Rotation and Staged Rotation.

When to Rotate the CA

Rotate the CA when:

  • The CA is approaching expiration

  • The active CA key is compromised or required to be rotated

Rotating the CA invalidates previously issued UserVPN files.

Rotation Options

  • Simple Rotation: one-pass rotation with brief interruption (Recommended)

  • Staged Rotation: staged rollout with minimal downtime

Simple Rotation

Use this method when a short downtime window is acceptable. During the simple rotation, the admin only needs to distribute (re-issue) client VPN files (.ovpn) once to all VPN users.

Prerequisites

  • Access to Settings > Configuration > Certificate Store on CoPilot UI

  • VPN users must be attached to their UserVPN gateway or Load Balancer

  • Ensure all VPN gateways are up and running before each step

Follow the steps below to perform a simple rotation:

Step 1: Prepare a New CA in Certificate Store

  1. Go to Settings > Configuration > Certificate Store.

  2. Click + Certificate.

  3. Choose Generate Certificate or Upload Certificate. We recommend generating a new certificate.

    • For Generate Certificate (Recommended):

      1. Enter a name for the new CA.

      2. Select a validity period.

    • For Upload Certificate:

      1. Enter a name for the new CA.

      2. Upload the CA Certificate file in PEM format.

      3. Upload the CA Private Key file in PEM format.

  4. Click Add.

Step 2: Add the New CA to User VPN

  1. Go to Cloud Fabric > UserVPN > Settings.

  2. Click Rotate Certificate.

  3. Select the new CA and click Prepare.

Step 3: Verify User Attachments

Ensure all users are attached to their gateways or Load Balancers.

  1. Go to Cloud Fabric > UserVPN > Users.

  2. For each user, ensure the VPN Gateway column is not set to Detached.

If any users are detached, they must be attached to a gateway or Load Balancer before proceeding with the rotation.

Step 4: Activate the New CA

This step will take some time. Do not close the browser window, navigate to other pages, or refresh the page while this process is running.

  1. From Cloud Fabric > UserVPN > Settings, locate the newly Prepared CA entry in the listed Certificate table.

  2. Click Activate.

After the new CA is activated:

  • All previously issued UserVPN files become invalid. The client certificates signed by the old CA will be revoked.

  • All attached VPN users with their emails configured will automatically receive newly issued VPN files via email.

  • For attached VPN users without an email configured, the admin must distribute the new VPN files manually:

    1. Go to Cloud Fabric > UserVPN > Users.

    2. Download the client VPN file for each user that is not associated with an email address:

      1. Select the user.

      2. Click the three-dot menu on the right side.

      3. Click Download Client Certificate.

      4. Distribute the downloaded client VPN files to the respective users through your own admin channel.

Step 5: Notify Users to Install New VPN Files

Inform all VPN users to download and install the newly issued VPN files from the UserVPN portal.

All users will no longer be able to connect to UserVPN server until they install the newly issued client VPN file.

Step 6: Remove the Old CA

  1. From Cloud Fabric > UserVPN > Settings, locate the Deactivated CA.

  2. Click Remove Old Certificate to delete the old CA from the Certificate table and complete the rotation process.

Failure to remove the old CA may allow authentication using old VPN files.

Perform a Staged Rotation

Use this method for a controlled, low-downtime rotation. This workflow requires additional steps from both administrators and users because the client VPN files (.ovpn) must be distributed two times.

Step 1: Prepare a New CA in Certificate Store

  1. Go to Settings > Configuration > Certificate Store.

  2. Click + Certificate.

  3. Choose Generate Certificate or Upload Certificate. We recommend generating a new certificate.

    • For Generate Certificate (Recommended):

      1. Enter a name for the new CA.

      2. Select a validity period.

    • For Upload Certificate:

      1. Enter a name for the new CA.

      2. Upload the CA Certificate file in PEM format.

      3. Upload the CA Private Key file in PEM format.

  4. Click Add.

Step 2: Add the New CA to UserVPN

  1. Go to Cloud Fabric > UserVPN > Settings.

  2. Click Rotate Certificate.

  3. Select the new CA and click Prepare.

Step 3: Verify User Attachments

Ensure all users are attached to their gateways or Load Balancers.

  1. Go to Cloud Fabric > UserVPN > Users.

  2. For each user, ensure the VPN Gateway column is not set to Detached.

If any users are detached, they must be attached to a gateway or Load Balancer before proceeding with the rotation.

Step 4: Distribute New Client VPN Files to All Users

Before distributing new VPN files, ensure all users are attached to the correct VPN gateway or Load Balancer. Users who are detached will not receive the updated client VPN file.

For Users Without Email Addresses

  1. From Cloud Fabric > UserVPN > Users, select the user.

  2. Click the three-dot menu.

  3. Click Download Client Certificate to save the file locally.

  4. Distribute these VPN files to users using your preferred admin communication channel.

For Users With Email Addresses

  1. From Cloud Fabric > UserVPN > Users, click Re-issue Client Certificate.

The system will send the existing VPN file to each user’s email inbox. This action does not revoke any certificates but adds both new and current CA certificates to the VPN file.

Step 5: Notify Users to Install New VPN Files

Inform all VPN users to download and install the newly issued VPN files from the UserVPN portal.

During this phase of the Staged Rotation, users can continue using their existing VPN connections. The new VPN files will become necessary after the CA is activated in the next step.

Step 6: Activate the New CA

  1. Go to Cloud Fabric > UserVPN > Settings.

  2. Locate the Prepared CA entry in the Certificate table and click Activate.

After the activation:

  • All attached VPN users with email addresses will receive a second email containing the new client VPN file.

  • For attached VPN users without email addresses, repeat the manual distribution process from Step 4 to provide the second new client VPN file via your admin channel.

  • Both client VPN files (issued in Step 4 and after activation) remain valid. Any older client VPN files are now invalid.

Step 7: Remove the Old CA

After confirming all users have installed the latest client VPN files, perform the following steps to remove the old CA entry.

  1. Go to Cloud Fabric > UserVPN > Settings.

  2. Locate the Deactivated CA entry and click Remove Old Certificate.

This step is critical for maintaining security. If you do not remove the old CA, users with previously issued client VPN files (signed by the old CA) may still be able to authenticate and connect.