OpenVPN Support Forum

Hi,

For my own understanding I would like to know what each key/certificate is inside the ".ovpn" file I have downloaded from my access server I have installed on Debian 10. Some of the keys are commented out and some are in-line. Apologies for noob question just trying to wrap my head around it all. I have deliberately shortened all the keys.

Cheers,
------------------------------------------------------------------------------------------------------------------------------------------------------
1) First item in the fie commented out i think i understand, this is the web server certificate and i can find this @ "/usr/local/openvpn_as/etc/web-ssl/ca.crt"

# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIBwDCCAUWgAwIBAgIEZQQnETAKBggqhkjOPQQDAjA4MTYwNAYDVQQDDC1PcGVu
# -----END CERTIFICATE-----
------------------------------------------------------------------------------------------------------------------------------------------------
2) I can find mention of this key in "/usr/local/openvpn_as/etc/db/.certs.db". If this the public certificate of the CA?

<ca>
-----BEGIN CERTIFICATE-----
MIIBeTCB/6ADAgECAgRlBCcLMAoGCCqGSM49BAMCMBUxEzARBgNVBAMMCk9wZW5W
-----END CERTIFICATE-----
</ca>

------------------------------------------------------------------------------------------------------------------------------------------------
3) I can find mention of this key in "/usr/local/openvpn_as/etc/db/.certs.db". If this the public certificate of the vpn server?

<cert>
-----BEGIN CERTIFICATE-----
MIIBoDCCASWgAwIBAgIILwJxQOI4wgcwCgYIKoZIzj0EAwIwFTETMBEGA1UEAwwK
-----END CERTIFICATE-----
</cert>

------------------------------------------------------------------------------------------------------------------------------------------------
4) i'm not quite sure what this is and i cant find it on the access server. Is this a randomly assigned private key generates by the access server for the client to using as a private key?

<key>
-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBx/PBssPOq1G1aHEnQ
-----END PRIVATE KEY-----
</key>

------------------------------------------------------------------------------------------------------------------------------------------------
5) TLS crypt key is used for that encryption and decryption of the TLS handshake on both the server and client??? I can find this key on my access server in ""/usr/local/openvpn_as/etc/db/.certs.db"

<tls-crypt>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
15da800fe2ddb6ec18f9e3fc2ad346d4
</tls-crypt>

Hello,

1) Public web CA certificate, for some legacy purposes. The only remaining purpose is for server-locked profiles as a fallback trusted CA for verifying access to the web API to retrieve connection profiles in case it has no valid signed certificate.

2) Public VPN server CA certificate, for verifying the identity of the VPN server.

3) The public certificate for this particular VPN user, for verifying the identity of the VPN client (works as a pair with 4).

4) The private key for this particular VPN user, for verifying the identity of the VPN client (works as a pair with 3).

5) A kind of 'software firewall' that we call TLS-Crypt in OpenVPN. There's TLS-Auth, TLS-Crypt, and TLS-Cryptv2. You can look in the OpenVPN2 reference documentation what that means. Basically, anyone that doesn't have such a valid key cannot even start a handshake with this server. Packets are signed and verified with such a key. If packets fail such a validation they get dropped really early on in the processing of packets.

Hope that helped,
Johan