OpenVPN certificates and keys
How to generate certificates and keys for your OpenVPN server using Easy-RSA for Windows.
First download OpenVPN. The OpenVPN Windows installer also contains Easy-RSA.
Install OpenVPN in the default location (C:/Program Files/OpenVPN).
Make sure you check the “OpenVPN RSA Certificate Management Scripts” option when choosing your components.
Locate the file “vars.bat.sample” (C:/Program Files/OpenVPN/easy-rsa).
Drag the file to your desktop and edit the below parameters using Notepad. Don’t leave any of the below parameters blank.
You may also consider changing “set KEY-SIZE=” from 1024 to 2048.
Drag the file back to the easy-rsa folder (C:/Program Files/OpenVPN/easy-rsa).
The rest of this guide takes place in Command Prompt.
Run Command Prompt as administrator.
Go to the easy-rsa folder by typing the following:
cd /Program Files/OpenVPN/easy-rsa
In the easy-rsa folder, run the following commands:
Now make the Certificate Authority (CA):
You can skip through all the prompts except “Common Name” where you have to add a unique name (e.g. ca).
Now make the server certificate and key:
You can skip through all the prompts except “Common Name” where you have to use a unique name (e.g. server). You also have to say “y” when asked to “Sign the certificate? [y/n]:” and “1 out of 1 certificate requests certified, commit? [y/n]”.
Now make the Diffie-Hellman parameters:
Now make some client certificates and keys. You may use generic names such as client1, client2 etc. or specific names such as Jack and Jill. I use the file name as the unique “Common Name”. As for the server certificate, you also need to sign and certify the client certificates when asked.
You are now done with all the basic certificates and keys.
In your keys folder (C:/Program Files/OpenVPN/easy-rsa/keys) you will have several files.
For your server you will use the following files:
ca.crt (CA Cert)
dh2048.pem (DH PEM)
server.crt (Public Server Cert)
server.key (Private Server Key)
For your clients (e.g. client no. 2) you will use the following files:
ca.crt (CA Cert)