Recipe for using own certificates
Posted: Fri May 19, 2023 11:01 am
Hi,
I just installed OpenVPN 2.5.5 on Ubuntu 22.04.2 LTS and I'm currently using the certificates created on the server itself (using easy-rsa), and this works. However I have the requirement to use a server certificate and client certificate from a CA. These certificates are delivered as PFX files, so what I have is:
server.pfx
client.pfx
On the client (Windows) I'm using OpenVPN (GUI) v11.42.0.0.
Looking at both the server and client configuration it seems I need:
ca.crt
server.crt
server.key
dh.pem
ta.key
client.crt
client.key
I know how to create KEY, CRT and PEM from PFX using OpenSSL and PuttyGen (Windows), but questions are pending:
1.
My usage so far for creating the files above are for OpenSSH. Are these files compatible with OpenVPN? If not, does anyone have a recipe for creating the OpenVPN required files from PFX?
2.
I assume that "ta.key" can remain "as-is" as it is just TLS and not as such related to the certificates?
3.
I'm unsure on where to physically place client.crt and key on the Ubuntu server. Can anyone give me some steps on where to place these? The ones I have now (created on the server) are located under "/usr/share/easy-rsa/pki/.." but I cannot seem to find any configuration for this. How does OpenVPN Server know where to look for client files?
Thanks.
Werner
I just installed OpenVPN 2.5.5 on Ubuntu 22.04.2 LTS and I'm currently using the certificates created on the server itself (using easy-rsa), and this works. However I have the requirement to use a server certificate and client certificate from a CA. These certificates are delivered as PFX files, so what I have is:
server.pfx
client.pfx
On the client (Windows) I'm using OpenVPN (GUI) v11.42.0.0.
Looking at both the server and client configuration it seems I need:
ca.crt
server.crt
server.key
dh.pem
ta.key
client.crt
client.key
I know how to create KEY, CRT and PEM from PFX using OpenSSL and PuttyGen (Windows), but questions are pending:
1.
My usage so far for creating the files above are for OpenSSH. Are these files compatible with OpenVPN? If not, does anyone have a recipe for creating the OpenVPN required files from PFX?
2.
I assume that "ta.key" can remain "as-is" as it is just TLS and not as such related to the certificates?
3.
I'm unsure on where to physically place client.crt and key on the Ubuntu server. Can anyone give me some steps on where to place these? The ones I have now (created on the server) are located under "/usr/share/easy-rsa/pki/.." but I cannot seem to find any configuration for this. How does OpenVPN Server know where to look for client files?
Thanks.
Werner