How to regenerate OpenVPN certificate

Product Discussion Pepwave AP & Surf
1

I’m a recent (happy) owner of the PepWave SOHO MK3. I’ve configured OpenVPN with no issues. However, digging into the security of it, I see that the PepWave seems to have a fixed certificate (public and private) associated with the device. Thus far I haven’t discovered a way to generate a new one. Can someone explain how to do this? I’ve tried turning Remote User Access off and on again, but that doesn’t generate a new certificate.

The issue with a fixed certificate is that there’s no way to “revoke” it, for example by generating a new one. Imagine the following scenarios:

  • If you give the OpenVPN .ovpn file (which contains the public side of the certificate) to someone temporarily for example, you can’t invalidate it. Sure, you can invalidate their login, but the actual security of VPN is the certificate (public and private) used to protect the channel.
  • A reseller (or current owner) grabs the certificate, and then sells the device. The seller now has the certificate of the device they sold.

Adding a “regenerate” button should be pretty easy, or you could just generate a new one every time Remote User Access is enabled.

2

HI - welcome to the forum!
You can manage certificates for openvpn in the Certificate Manager which is under Network > Misc Settings on the balance firmware or Advanced > Misc Settings on the MAX firmware:

image
image825×164 13.6 KB

If you clcik the edit button you can then paste in your new keys:

image
image816×668 8.53 KB

3 Likes
3

Thank you Martin for the response. I don’t see a Certificate section under Network->Misc (or anywhere else for that matter). Note again that I have a PepWave SOHO MK3. I’m running firmware version 8.1.0 build 4941. I see no more recent updates.

The Network tab has a LAN section (Network Settings, Port Settings) and a WAN section. There doesn’t appear to be a Certificate section, or any such settings revealed through one of the “special” question mark entries.

edit: Ah. Wait. It’s under Advanced->Misc. Settings. There’s a Certificate Manager under that. I didn’t notice it before.

edit2: Thank you Martin for the solution! I’ve marked my response as the solution because it provides the correct location of the settings. However, I wouldn’t have found it without your help! :slight_smile:

edit3: I see you’ve clarified your response, so I’ve marked your answer as the solution. :slight_smile: :slight_smile:

2 Likes