OpenVPN certificates and keys

How to generate certificates and keys for your OpenVPN server using Easy-RSA for Windows.

First download OpenVPN. The OpenVPN Windows installer also contains Easy-RSA.

Install OpenVPN in the default location (C:/Program Files/OpenVPN).
Make sure you check the “OpenVPN RSA Certificate Management Scripts” option when choosing your components.

Locate the file “vars.bat.sample” (C:/Program Files/OpenVPN/easy-rsa).

Drag the file to your desktop and edit the below parameters using Notepad. Don’t leave any of the below parameters blank.

set KEY_COUNTRY=NO
set KEY_PROVINCE=NO
set KEY_CITY=Oslo
set KEY_ORG=Private
set KEY_EMAIL=mail@domain.no

You may also consider changing “set KEY-SIZE=” from 1024 to 2048.

Drag the file back to the easy-rsa folder (C:/Program Files/OpenVPN/easy-rsa).
The rest of this guide takes place in Command Prompt.
Run Command Prompt as administrator.

Go to the easy-rsa folder by typing the following:

cd /Program Files/OpenVPN/easy-rsa

In the easy-rsa folder, run the following commands:

init-config
vars
clean-all

Now make the Certificate Authority (CA):

build-ca

You can skip through all the prompts except “Common Name” where you have to add a unique name (e.g. ca).

Now make the server certificate and key:

build-key-server server

You can skip through all the prompts except “Common Name” where you have to use a unique name (e.g. server). You also have to say “y” when asked to “Sign the certificate? [y/n]:” and “1 out of 1 certificate requests certified, commit? [y/n]”.

Now make the Diffie-Hellman parameters:

build-dh

Now make some client certificates and keys. You may use generic names such as client1, client2 etc. or specific names such as Jack and Jill. I use the file name as the unique “Common Name”. As for the server certificate, you also need to sign and certify the client certificates when asked.

build-key ClientName1
build-key ClientName2
build-key ClientName3
etc…

You are now done with all the basic certificates and keys.
In your keys folder (C:/Program Files/OpenVPN/easy-rsa/keys) you will have several files.
For your server you will use the following files:

ca.crt (CA Cert)
dh2048.pem (DH PEM)
server.crt (Public Server Cert)
server.key (Private Server Key)

For your clients (e.g. client no. 2) you will use the following files:

ca.crt (CA Cert)
ClientName2.crt
ClientName2.key