Recipe for using own certificates

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ITemplate
OpenVpn Newbie
Posts: 2
Joined: Fri May 19, 2023 10:20 am

Recipe for using own certificates

Post by ITemplate » Fri May 19, 2023 11:01 am

Hi,

I just installed OpenVPN 2.5.5 on Ubuntu 22.04.2 LTS and I'm currently using the certificates created on the server itself (using easy-rsa), and this works. However I have the requirement to use a server certificate and client certificate from a CA. These certificates are delivered as PFX files, so what I have is:

server.pfx
client.pfx

On the client (Windows) I'm using OpenVPN (GUI) v11.42.0.0.
Looking at both the server and client configuration it seems I need:

ca.crt
server.crt
server.key
dh.pem
ta.key
client.crt
client.key

I know how to create KEY, CRT and PEM from PFX using OpenSSL and PuttyGen (Windows), but questions are pending:

1.
My usage so far for creating the files above are for OpenSSH. Are these files compatible with OpenVPN? If not, does anyone have a recipe for creating the OpenVPN required files from PFX?

2.
I assume that "ta.key" can remain "as-is" as it is just TLS and not as such related to the certificates?

3.
I'm unsure on where to physically place client.crt and key on the Ubuntu server. Can anyone give me some steps on where to place these? The ones I have now (created on the server) are located under "/usr/share/easy-rsa/pki/.." but I cannot seem to find any configuration for this. How does OpenVPN Server know where to look for client files?

Thanks.
Werner

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: Recipe for using own certificates

Post by Fadim » Mon May 22, 2023 9:17 am

Hey @Werner,
You're on the right track!
Yes, OpenVPN uses the same certificate format as OpenSSH. So you should be able to extract the necessary CRT and KEY files from your PFX files using OpenSSL.
You're correct, "ta.key" is for TLS authentication and isn't tied to your certificates. You can keep using the one generated by easy-rsa.
For the location of client certificates on the server, OpenVPN doesn't typically require them to be stored there. The client.crt and client.key files should be on the client machine. What you need to have on the server is the CA certificate (ca.crt) that was used to sign the client and server certificates. This allows the server to verify the client's certificate. The path to this CA certificate is specified in the server's OpenVPN configuration file.
Remember to make sure your server configuration file reflects the locations of your new certificate and key files. Best of luck!

ITemplate
OpenVpn Newbie
Posts: 2
Joined: Fri May 19, 2023 10:20 am

Re: Recipe for using own certificates

Post by ITemplate » Tue May 23, 2023 11:56 am

Thanks a lot Fadim, just the kind of answer I was looking for. I misunderstood the client part obviously, but it makes sense now! Thanks.

Post Reply