Openvpn – Can we use CA signed certificate like let’s encrypt in softether vpn server


I am trying to attach let's encrypt certificate to my softether vpn server, But didn't found a way for it. Can we use CA signed certificate like let's encrypt in vpn server ? If yes, then please provide the process.

Best Answer

The main challenge in using Let's Encrypt certificates with a VPN server is that their validity period is really short, only 3 months. This means there are some prerequisites:

  • You must be able to automate loading of the certificate and the private key once the Certbot has renewed them. Luckily, Softether has a Command Line Management Utility. You should be familiar at least with 6.2 General Usage of vpncmd in order to understand the steps 1 and 3 in this answer.
  • The VPN server needs to be publicly accessible on HTTP port 80 for the HTTP-01 challenge. Also, the Softether VPN server hasn't builtin HTTP-01 challenge, so it requires an external Certbot.


  1. You should add Let's Encrypt as trusted CA for the VPN clients.

  2. Install and configure Certbot: instructions based on your web server and system.

  3. Create a script / task / cronjob that periodically updates the certificate and the key.

    • Certbot renews all certificates that will expire in a month. Therefore, there's up to month before a the old certificate expires, but you in order to minimize the chances for this to fail, I'd recommend running this script at least once a week.

    • The command, from 6.3.20 "ServerCertSet": Set SSL Certificate and Private Key of VPN Server, is:

      ServerCertSet [/LOADCERT:cert] [/LOADKEY:key]

      /LOADCERT Specify the X.509 format certificate file to use.

      /LOADKEY Specify the Base 64 encoded private key file for the certificate to use.

      For example with Debian Linux, the command might be:

      vpncmd /server localhost /password:password /adminhub:DEFAULT
          /cmd ServerCertSet \
          /LOADCERT:/etc/letsencrypt/live/ \