OpenVPN mini-guides: Certificates

In this mini-howto, I’m going to show how to generate Certificates for use with OpenVPN.

Its part of a series of posts that will hopefully include:
Configuring a Mikrotik RouterOS router as a Server
Configuring a Mikrotik RouterOS router as a Client
Configuring a Linux machine as a Client
Configuring a DD-WRT router as a Client

And Tomtom will be working with me to produce instructions on connecting to the server from an iPod Touch, iPhone and Nokia N900.

So, lets begin…

All the Certificates that we generate, for the server and clients, need to be signed by the same Certificate Authority.
Then, we can generate the server and client certificates.

Generating Certificates

Thankfully, there’s an easy-to-use set of scripts that come with the linux OpenVPN packages, called easy-rsa. So we’ll first be needing a Debian/Ubuntu machine to follow this howto.

First, install OpenVPN on a linux machine.

sudo apt-get install openvpn

Then, lets move the easy-rsa scripts to somewhere useful and easier to remember, and create a directory where we’ll store the certificates.

sudo mkdir /etc/openvpn/{easy-rsa,keys}
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Then, change to the /etc/openvpn/easy-rsa directory and edit the configuration files.

cd /etc/openvpn/easy-rsa
sudo vi vars

Edit the file, changing a few of the variables as below:

export EASY_RSA="/etc/openvpn/easy-rsa"
export KEY_DIR="/etc/openvpn/keys"

If you want, you can change the values for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL to values that make sense for your setup. Now, since we’ll be setting environment variables, we need an environment.

sudo bash
source vars

Take careful notice of that warning. You should only run clean-all ONCE, and this is the time you’re going to do it.

./clean-all

Thats all thats needed to setup the easy-rsa scripts.
Lets get on with generating the keys.
First, the CA (Certificate Authority)

./pkitool --initca

Next, we generate the Certificate for the OpenVPN Server.

./pkitool --server ovpn-server

Then, for each client, you generate a uniquely named client certificate.

./pkitool client1

Repeat for each client

If you want to come back later in a few days to generate a new certificate for a new client, here’s a quick list of commands to do that.

sudo bash
cd /etc/openvpn/easy-rsa
source vars
./pkitool client99

Copying certificates to the RouterOS OpenVPN Server.
Using whatever means you prefer, copy the ca.crt, ovpn-server.crt and ovpn-server.key to your RouterOS router.
I prefer using scp.

scp ca.crt ovpn-server.crt ovpn-server.key admin@<IP of Router>:.

Then, on the RouterOS Router, you should import these certificates.

/certificate import=ca.crt
/certificate import=ovpn-server.crt
/certificate import=ovpn-server.key

You may want to rename the entries to something you’ll understand, since they’ll be named cert1 and cert2 by default.

For your clients, you’ll need ca.crt, clientX.crt and clientX.key

NEVER distribute ca.key, not even to your OpenVPN Server.