Ssl – OpenVPN – can I use an existing SSL certificate

openvpnssl

I want to setup OpenVPN server for my personal usage. I own domain and I have valid SSL certificate for this domain (issued by StartSSL).

At the beginning of the setup instructions for OpenVPN there's a section describing generation of my own certificate authority used later to issue self-signed certificates.

I wonder if I can use my existing SSL certificate for that purpose? Do I have any advantages doing that?

For example I used this certificate for mail server SSL and mail clients do not complain about self-signed certificates. Do OpenVPN clients use well known root certificates to check server's certificate or they do not employ this infrastructure and self-signed certificate will work fine?

Best Answer

How are you planning on doing client authentication? Are you planning on doing cert-based client authentication, or something else?

I wonder if I can use my existing SSL certificate for that purpose? Do I have any advantages doing that?

Yes you probably could get away with re-using a certificate, so long as your cert subject value matches the name of your OpenVPN server.

This is almost certainly a bad idea though. There are little or no advantages to do it. You will probably make things more difficult and confusing for yourself if you try and you aren't very well versed in how PKI works.

In any case, for your first VPN server I strongly suggest following the guide as it is written before you try doing anything fancy with external CAs, or 3rd party certificates. OpenVPN is extremely flexible, but it is best to stick with the standard method to start.

Do OpenVPN clients use well known root certificates to check server's certificate or they do not employ this infrastructure and self-signed certificate will work fine?

Generally when setting open OpenVPN clients you give the client the CA cert in addition the suggested configuration.

Related Solutions

MySQL Connection Issue – Can’t Connect Using Self-Signed SSL

Yes, you are correct that if you don't specify --ssl-ca then the client does not check the server certificate at all. Since it works without that option the most likely reason for the failure is that the client doesn't trust the server certificate.

If you are using self-signed client and server certificates then the ca.cert file should include both these files. That way the client will trust the server certificate and the server will trust the client certificate.

For example:
Generate the server key and certificate:

$ openssl req -x509 -newkey rsa:1024 \
         -keyout server-key-enc.pem -out server-cert.pem \
         -subj '/DC=com/DC=example/CN=server' -passout pass:qwerty

$ openssl rsa -in server-key-enc.pem -out server-key.pem \
         -passin pass:qwerty -passout pass:

Generate the client key and certificate:

$ openssl req -x509 -newkey rsa:1024 \
         -keyout client-key-enc.pem -out client-cert.pem \
         -subj '/DC=com/DC=example/CN=client' -passout pass:qwerty

$ openssl rsa -in client-key-enc.pem -out client-key.pem \
         -passin pass:qwerty -passout pass:

Combine the client and server certificates into the CA certificates file:

$ cat server-cert.pem client-cert.pem > ca.pem

Ssl – use Active Directory as a CA for creating test SSL certificates for IIS

You can add trusted roots through group policy. So make a self signed cert, roll this out as a trusted root, then any cert you sign with it will be trusted.

Policy Object Name/Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

Setting up the MS Certificate Authority is not required

Best Answer

Related Solutions

MySQL Connection Issue – Can’t Connect Using Self-Signed SSL

Ssl – use Active Directory as a CA for creating test SSL certificates for IIS

Related Topic