We have been using a pre-shared key — the /etc/openvpn/certs/static.key file — up to this point. But that is impractical for the long term. So let’s turn ourselves into a … Certification Authority!

To make things easier we will use the easy-rsa package.

Installation

(server)_$: apt install easy-rsa

Directory structure

(server)_$: cd /etc/openvpn
(server)_$: make-cadir ca

CA configuration

/etc/openvpn/ca/vars:
---------------------
[...]
export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
export KEY_COUNTRY="ES"
export KEY_PROVINCE="Zaragoza"
export KEY_CITY="Zaragoza"
export KEY_ORG="dcere"
export KEY_EMAIL="dcere@example.com"
export KEY_OU="IT"

CA generation

(server)_$: cd /etc/openvpn/ca
(server)_$: source vars
(server)_$: ./clean-all
(server)_$: ./build-ca

Certificate and key generation for the server

We will create the certificate and the key for the server. The argument in the command line will be the Common Name (CN) in the certificate. This is not so important in the server but very important in the clients to configure things in the future.

(server)_$: ./build-key-server server.dcere.com

Diffie-Hellman parameters generation

(server)_$: ./build-dh

Extra security

We will create another key, different to the previous static.key, to strengthen our security.

(server)_$: openvpn --genkey --secret keys/ta.key

Certificate and key generation for clients

Depending on how many certificates you need, it may be more convenient to generate them here on behalf of your clients. Bear in mind that this is not the usual procedure. The usual procedure has the client first generating a certificate signing request, then that certificate signing request is sent to the certification authority which signs it and finally returns a certificate back to the client. We will, however, create the certificate in our CA and then copy the files to the client.

(server)_$: cd /etc/openvpn/ca
(server)_$: source vars
(server)_$: ./build-key desktop.dcere.com

The files for the client will be created in /etc/openvpn/ca/keys.

Certificates for smartphone clients are created the same way:

(server)_$: cd /etc/openvpn/ca
(server)_$: source vars
(server)_$: ./build-key smartphone.dcere.com