Create OVPN File Using Certificate and Key on Debian

debianlinuxopenvpnvpn

Recently, i set up a raspberry such as a little server for doing some practise with networking and on it i installed OpenVPN. For sample certificates i used the command pivpn -a, as suggested by OpenVPN. But now i want to create my own certificates because i need to insert on them an expiration date for examples.

After many research on the internet, i didn't find anything which works, because the most of the examples provides from users are old version of OpenVPN, the only thing that i learned was that i need openssl for creating my certificates.

So i run the below commands for creating my certificates:

sudo openssl req -new -key ca.key > mycert.csr
sudo openssl x509 -req -days 1 -in ./mycert.csr /
-signkey /etc/openvpn/easy-rsa/pki/private/ca.key -out some.crt

ca.key is the key generated when i installed OpenVPN, at this point i tried to combine certificates and key such as many tutorial suggests:

client
dev tun
proto udp
remote <my_server_ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name <server_name> name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#my ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#the some.crt file, which i created before
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
#No idea what i have to write there
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#my ta.key
-----END OpenVPN Static key V1-----
</tls-crypt>

I am stuck to this point, because in the section of encrypted private key someone says that there i have to put client.key, so the key which i used for sign my certificate, but it doesn't work.

I mess some steps or this is the wrog way to achive which i want?

Best Answer

For OpenVPN there are multiple certificates involved:

On the server side:

  • server certificate (and key)
  • ca certificate matching the private key, that signed the server certificate

On the client side (optional):

  • client certificate (and key) signed by the same or another ca

You have posted a client configuration. So the parameters need to be filled as follows:

  • ca: ca certificate to verify the server certificate (signed the server certificate)
  • cert: depending on server config, client certificate provided to the server for user authentication
  • key: key matching the cert

I suggest, you use easyrsa3. It should be explained in enough detail there.

Short summary for own OpenVPN server (and own, custom CA):

  • generate ca certificate (and key)
  • generate server certificate (and key)
  • generate client certificates (and keys)

For enhanced security, the keys are created locally (on the server/client) together with a CSR (certificate requests) and then the requests are signed on the node containing the ca (should be separated) resulting in the certificates.

EDIT: Having another look at your question, this looks suspicious:

sudo openssl req -new -key ca.key > mycert.csr
sudo openssl x509 -req -days 1 -in ./mycert.csr \
 -signkey /etc/openvpn/easy-rsa/pki/private/ca.key -out some.crt

What is the first ca.key? You should either seperately generate a new (client) key or simply let openssl req do this for you (-newkey). The "key" used by openssl req belongs to certificate you want to get a CSR for. At this point it has nothing to do with the CA.

Summary:

  • create a private key
  • create a CSR for the key
  • get the csr signed by a CA (resulting in a signed certificate matching the private key of the first step)
Related Topic