OpenVPN certificates and keys
How to generate certificates and keys for your OpenVPN server using Easy-RSA for Windows.
First download OpenVPN. The OpenVPN Windows installer also contains Easy-RSA.
Install OpenVPN in the default location (C:/Program Files/OpenVPN).
Make sure you check the “OpenVPN RSA Certificate Management Scripts” option when choosing your components.
Locate the file “vars.bat.sample” (C:/Program Files/OpenVPN/easy-rsa).
Drag the file to your desktop and edit the below parameters using Notepad. Don’t leave any of the below parameters blank.
set KEY_COUNTRY=NO
set KEY_PROVINCE=NO
set KEY_CITY=Oslo
set KEY_ORG=Private
set KEY_EMAIL=mail@domain.no
You may also consider changing “set KEY-SIZE=” from 1024 to 2048.
Drag the file back to the easy-rsa folder (C:/Program Files/OpenVPN/easy-rsa).
The rest of this guide takes place in Command Prompt.
Run Command Prompt as administrator.
Go to the easy-rsa folder by typing the following:
cd /Program Files/OpenVPN/easy-rsa
In the easy-rsa folder, run the following commands:
init-config
vars
clean-all
Now make the Certificate Authority (CA):
build-ca
You can skip through all the prompts except “Common Name” where you have to add a unique name (e.g. ca).
Now make the server certificate and key:
build-key-server server
You can skip through all the prompts except “Common Name” where you have to use a unique name (e.g. server). You also have to say “y” when asked to “Sign the certificate? [y/n]:” and “1 out of 1 certificate requests certified, commit? [y/n]”.
Now make the Diffie-Hellman parameters:
build-dh
Now make some client certificates and keys. You may use generic names such as client1, client2 etc. or specific names such as Jack and Jill. I use the file name as the unique “Common Name”. As for the server certificate, you also need to sign and certify the client certificates when asked.
build-key ClientName1
build-key ClientName2
build-key ClientName3
etc…
You are now done with all the basic certificates and keys.
In your keys folder (C:/Program Files/OpenVPN/easy-rsa/keys) you will have several files.
For your server you will use the following files:
ca.crt (CA Cert)
dh2048.pem (DH PEM)
server.crt (Public Server Cert)
server.key (Private Server Key)
For your clients (e.g. client no. 2) you will use the following files:
ca.crt (CA Cert)
ClientName2.crt
ClientName2.key
Recent Comments