Create own ovpn file from using certificate and key
For OpenVPN there are multiple certificates involved:
On the server side:
- server certificate (and key)
- ca certificate matching the private key, that signed the server certificate
On the client side (optional):
- client certificate (and key) signed by the same or another ca
You have posted a client configuration. So the parameters need to be filled as follows:
- ca: ca certificate to verify the server certificate (signed the server certificate)
- cert: depending on server config, client certificate provided to the server for user authentication
- key: key matching the cert
I suggest, you use easyrsa3. It should be explained in enough detail there.
Short summary for own OpenVPN server (and own, custom CA):
- generate ca certificate (and key)
- generate server certificate (and key)
- generate client certificates (and keys)
For enhanced security, the keys are created locally (on the server/client) together with a CSR (certificate requests) and then the requests are signed on the node containing the ca (should be separated) resulting in the certificates.
EDIT: Having another look at your question, this looks suspicious:
sudo openssl req -new -key ca.key > mycert.csr
sudo openssl x509 -req -days 1 -in ./mycert.csr \
-signkey /etc/openvpn/easy-rsa/pki/private/ca.key -out some.crt
What is the first ca.key? You should either seperately generate a new (client) key or simply let openssl req do this for you (-newkey
). The "key" used by openssl req belongs to certificate you want to get a CSR for. At this point it has nothing to do with the CA.
Summary:
- create a private key
- create a CSR for the key
- get the csr signed by a CA (resulting in a signed certificate matching the private key of the first step)
Related videos on Youtube
Leonardo Bassi
Updated on September 18, 2022Comments
-
Leonardo Bassi over 1 year
Recently, i set up a raspberry such as a little server for doing some practise with networking and on it i installed OpenVPN. For sample certificates i used the command
pivpn -a
, as suggested by OpenVPN. But now i want to create my own certificates because i need to insert on them an expiration date for examples.After many research on the internet, i didn't find anything which works, because the most of the examples provides from users are old version of OpenVPN, the only thing that i learned was that i need openssl for creating my certificates.
So i run the below commands for creating my certificates:
sudo openssl req -new -key ca.key > mycert.csr sudo openssl x509 -req -days 1 -in ./mycert.csr / -signkey /etc/openvpn/easy-rsa/pki/private/ca.key -out some.crt
ca.key is the key generated when i installed OpenVPN, at this point i tried to combine certificates and key such as many tutorial suggests:
client dev tun proto udp remote <my_server_ip> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server tls-version-min 1.2 verify-x509-name <server_name> name cipher AES-256-CBC auth SHA256 auth-nocache verb 3 <ca> -----BEGIN CERTIFICATE----- #my ca.crt -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- #the some.crt file, which i created before -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- #No idea what i have to write there -----END ENCRYPTED PRIVATE KEY----- </key> <tls-crypt> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- #my ta.key -----END OpenVPN Static key V1----- </tls-crypt>
I am stuck to this point, because in the section of encrypted private key someone says that there i have to put client.key, so the key which i used for sign my certificate, but it doesn't work.
I mess some steps or this is the wrog way to achive which i want?