Recently, i set up a raspberry such as a little server for doing some practise with networking and on it i installed OpenVPN. For sample certificates i used the command pivpn -a
, as suggested by OpenVPN. But now i want to create my own certificates because i need to insert on them an expiration date for examples.
After many research on the internet, i didn't find anything which works, because the most of the examples provides from users are old version of OpenVPN, the only thing that i learned was that i need openssl for creating my certificates.
So i run the below commands for creating my certificates:
sudo openssl req -new -key ca.key > mycert.csr
sudo openssl x509 -req -days 1 -in ./mycert.csr /
-signkey /etc/openvpn/easy-rsa/pki/private/ca.key -out some.crt
ca.key is the key generated when i installed OpenVPN, at this point i tried to combine certificates and key such as many tutorial suggests:
client
dev tun
proto udp
remote <my_server_ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name <server_name> name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#my ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#the some.crt file, which i created before
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
#No idea what i have to write there
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
#my ta.key
-----END OpenVPN Static key V1-----
</tls-crypt>
I am stuck to this point, because in the section of encrypted private key someone says that there i have to put client.key, so the key which i used for sign my certificate, but it doesn't work.
I mess some steps or this is the wrog way to achive which i want?
Best Answer
For OpenVPN there are multiple certificates involved:
On the server side:
On the client side (optional):
You have posted a client configuration. So the parameters need to be filled as follows:
I suggest, you use easyrsa3. It should be explained in enough detail there.
Short summary for own OpenVPN server (and own, custom CA):
For enhanced security, the keys are created locally (on the server/client) together with a CSR (certificate requests) and then the requests are signed on the node containing the ca (should be separated) resulting in the certificates.
EDIT: Having another look at your question, this looks suspicious:
What is the first ca.key? You should either seperately generate a new (client) key or simply let openssl req do this for you (
-newkey
). The "key" used by openssl req belongs to certificate you want to get a CSR for. At this point it has nothing to do with the CA.Summary: