Where to put certs?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
dummkauf
OpenVpn Newbie
Posts: 2
Joined: Thu Apr 26, 2018 5:34 am

Where to put certs?

Post by dummkauf » Thu Apr 26, 2018 5:41 am

I'm new to OpenVPN and am playing around with it on Amazon AWS with Access Server on an EC2 instance.

I have the VPN working using password authentication, but I would like to try setting up certs to authenticate the clients. I generated the certs using easy-rsa v3.0.5 following this guide: https://community.openvpn.net/openvpn/w ... nVPN-Howto, but it doesn't tell me what to do with the certs once they've been generated and signed.

I also looked at the how-to located here: https://openvpn.net/index.php/open-sour ... o.html#pki. However at the end of the PKI section it just says to "The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.", but doesn't tell you where on the server to copy the files to. I'm assuming the certs need to be added to a specific directory or referenced in the configuration somewhere, but I can't seem to find where this is documented.

Where do the certs go once they've been created and signed?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Where to put certs?

Post by novaflash » Thu Apr 26, 2018 4:36 pm

OpenVPN Access Server already uses certificates, but it's fully automated. They're embedded in the client.ovpn files that it automatically creates for you. If you want to force users to come to you to get the required files you could consider disabling web interface access and doing things manually, but there are some downsides to that. See this document:
https://docs.openvpn.net/getting-starte ... procedures
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

dummkauf
OpenVpn Newbie
Posts: 2
Joined: Thu Apr 26, 2018 5:34 am

Re: Where to put certs?

Post by dummkauf » Fri Apr 27, 2018 5:27 am

ahh, that makes sense. However, how do I confirm what type of key it's using and or change it if I wanted to?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Where to put certs?

Post by novaflash » Fri Apr 27, 2018 2:06 pm

Well, if you want to get the technical details of the key, you can cut it out of the client.ovpn file and run it through openssl to see what type of key it is and such.

If you want to change the key, easiest way is to go to the admin ui of the access server, go to revoke certificates, and kill the certificate/key for this particular user. The access server will generate a new one when it becomes necessary.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply