App Support.

We're here to help.



Creating Certificates and Keys for your OpenVPN Server

Introduction

A number of the OpenVPN server setup guides require you to generate your own certificates and keys on your client device. Here, we will describe the steps required to generate these credential files. As you will be creating these credentials on your client device, you will need to ensure that you have all the required programs on your machine. The steps performed in this guide will depend on whether you are using a Mac or Windows machine as your client device.

Mac

We will assume that you are running macOS 10.12 (Sierra) and that you have already installed Xcode and the Command Line Tools.

So that we can create the required certificates, we will need to download Easy-RSA. In a browser, go to https://github.com/OpenVPN/easy-rsa/releases and download the latest .tgz version for your Mac (EasyRSA-*.tgz). We will assume that this file has been downloaded to the /Users/your-account-name/Downloads (or ~/Downloads) directory. Open this file with the Archive Utility. Now open Terminal (located at /Applications/Terminal.app).

Certificate Information

The certificates used by your OpenVPN server carry information about you and/or your organization. Follow the instructions below to configure those details.

  1. Create a directory to store the keys we will generate for the server:
    mkdir -p ~/Documents/Viscosity/server/keys
  2. Create a directory for the client credentials:
    mkdir -p ~/Documents/Viscosity/client/keys
  3. Copy the vars file to configure the certificate authority parameters:
    cp ~/Downloads/EasyRSA-3.0.1/vars.example ~/Downloads/EasyRSA-3.0.1/vars
  4. Open this file for editing in TextEdit:
    open -a TextEdit ~/Downloads/EasyRSA-3.0.1/vars

The certificates created by the authority carry information about the person or organization using them to help identify the certificates and keys. Scroll down until you see the section:

#set_var EASYRSA_REQ_COUNTRY	"US"
#set_var EASYRSA_REQ_PROVINCE	"California"
#set_var EASYRSA_REQ_CITY	"San Francisco"
#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL	"[email protected]"
#set_var EASYRSA_REQ_OU		"My Organizational Unit"
  1. Uncomment all 6 of these lines by deleting the '#' symbol from the start of each line
  2. Modify these details to suit you and/or your organization

Scroll down to the next section until you see:

#set_var EASYRSA_KEY_SIZE        2048
  1. Uncomment this line by deleting the '#' symbol from the start of it
  2. We will use a 2048 bit key, so leave this number unchanged
  3. Save and exit TextEdit

Generating the Server Credentials

Easy-RSA provides a number of scripts that we can use to create our Certificate Authority and our required certificates and keys.

  1. Navigate to the easy-rsa directory:
    cd ~/Downloads/EasyRSA-3.0.1/
  2. Initialize the PKI (Public Key Infrastructure), by typing:
    ./easyrsa init-pki
    this should create a directory ~/Downloads/EasyRSA-3.0.1/pki that will store our certificates and keys.
  3. Create the certificate authority by typing:
    ./easyrsa build-ca nopass
  4. You will be prompted to provide a Common Name. Enter the name server and press ENTER
  5. Copy the certificate authority certificate to your server keys directory:
    cp ~/Downloads/EasyRSA-3.0.1/pki/ca.crt ~/Documents/Viscosity/server/keys/ca.crt

You now have a certificate authority set up and we can move on to creating certificates for your OpenVPN server.

  1. Create the server .crt and .key files by typing:
    ./easyrsa build-server-full server nopass
  2. Copy the server certificate:
    cp ~/Downloads/EasyRSA-3.0.1/pki/issued/server.crt ~/Documents/Viscosity/server/keys/server.crt
  3. Copy the server key:
    cp ~/Downloads/EasyRSA-3.0.1/pki/private/server.key ~/Documents/Viscosity/server/keys/server.key
  4. Now generate the encryption (Diffie-Hellman) parameters. Be patient, this process can take up to a few minutes:
    ./easyrsa gen-dh
  5. Copy the Diffie-Hellman file:
    cp ~/Downloads/EasyRSA-3.0.1/pki/dh.pem ~/Documents/Viscosity/server/keys/dh2048.pem

Generating the Client Credentials

To connect to your OpenVPN server, you need to create client credentials. We will name our client certificate client1. Feel free to use whatever name you prefer.

  1. Create the client credentials that will be used by Viscosity to connect to the OpenVPN server:
    ./easyrsa build-client-full client1 nopass
  2. Copy the client certificate:
    cp ~/Downloads/EasyRSA-3.0.1/pki/issued/client1.crt ~/Documents/Viscosity/client/keys/client1.crt
  3. Copy the client key:
    cp ~/Downloads/EasyRSA-3.0.1/pki/private/client1.key ~/Documents/Viscosity/client/keys/client1.key
  4. Copy the CA certificate:
    cp ~/Downloads/EasyRSA-3.0.1/pki/ca.crt ~/Documents/Viscosity/client/keys/ca.crt

These client credentials are ready to be loaded by Viscosity to connect to your OpenVPN server. Your server credentials need to be transferred to the server itself. This will depend on the particular type of server you are setting up. Please see our guides for setting up an OpenVPN server.

Windows

We will assume that you are running Windows 10. First you will need to install a copy of Cygwin. We will use Cygwin to run the scripts provided by Easy-RSA. Download and run the setup executable to install it. When prompted to Select Packages, install OpenSSH by typing openssh in the search bar and clicking on the word Skip on the line corresponding to openssh: The OpenSSH server and client programs in the Net drop down. This will change the word from Skip to the version number. Now continue with the rest of the Cygwin installation. We will assume that Cygwin has been installed to the directory C:\cygwin64\. Note that directories are separated in Cygwin with forward slashes (/).

You will need to download Easy-RSA so that we can create the required certificates. In a browser, go to https://github.com/OpenVPN/easy-rsa/releases and download the latest .zip version for your PC (EasyRSA-*.zip). We will assume that this file has been downloaded to the C:\Users\your-account-name\Downloads directory. Once the download is complete, right click on this file and select Extract all. Extract the contents of the archive to C:\Users\your-account-name\Downloads\ Now that we have extracted the contents of this file, we need to open the command window. Type cmd into the Search the web and Windows box in the taskbar and press ENTER. This will open the Command Prompt app.

Certificate Information

The certificates used by your OpenVPN server carry information about you and/or your organization. Follow the instructions below to configure those details.

  1. Create a directory to store the keys we will generate for the server:
    mkdir C:\Users\your-account-name\Documents\Viscosity\server\keys
  2. Create a directory for the client credentials:
    mkdir C:\Users\your-account-name\Documents\Viscosity\client\keys
  3. Copy the vars file to configure the certificate authority parameters:
    copy C:\Users\your-account-name\Downloads\EasyRSA-3.0.1\vars.example C:\Users\your-account-name\Downloads\EasyRSA-3.0.1\vars
  4. Open this file for editing in Wordpad:
    "C:\Program Files\Windows NT\Accessories\wordpad.exe" C:\Users\your-account-name\Downloads\EasyRSA-3.0.1\vars

The certificates created by the authority carry information about the person or organization using them to help identify the certificates and keys. Scroll down until you see the section:

#set_var EASYRSA_REQ_COUNTRY	"US"
#set_var EASYRSA_REQ_PROVINCE	"California"
#set_var EASYRSA_REQ_CITY	"San Francisco"
#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL	"[email protected]"
#set_var EASYRSA_REQ_OU		"My Organizational Unit"
  1. Uncomment all 6 of these lines by deleting the '#' symbol from the start of each line
  2. Modify these details to suit you and/or your organization

Scroll down to the next section until you see:

#set_var EASYRSA_KEY_SIZE        2048
  1. Uncomment this line by deleting the '#' symbol from the start of it
  2. We will use a 2048 bit key, so leave this number unchanged
  3. Save and exit Wordpad

Generating the Server Credentials

Easy-RSA provides a number of scripts that we can use to create our Certificate Authority and our required certificates and keys.

  1. Open a Cygwin prompt:
    C:\cygwin64\bin\mintty.exe -
  2. In the Cygwin prompt, navigate to the easy-rsa directory:
    cd C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/
  3. Remove any Windows-specific characters:
    sed $'s/\r//' -i ./vars
  4. Initialize the PKI (Public Key Infrastructure), by typing:
    ./easyrsa init-pki
    this should create a directory /Users/your-account-name/Downloads/EasyRSA-3.0.1/pki that will store our certificates and keys.
  5. Create the certificate authority by typing:
    ./easyrsa build-ca nopass
  6. You will be prompted to provide a Common Name. Enter the name server and press ENTER
  7. Copy the certificate authority certificate to your server keys directory:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/ca.crt C:/Users/your-account-name/Documents/Viscosity/server/keys/ca.crt

You now have a certificate authority set up and we can move on to creating certificates for your OpenVPN server.

  1. Create the server .crt and .key files by typing:
    ./easyrsa build-server-full server nopass
  2. Copy the server certificate:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/issued/server.crt C:/Users/your-account-name/Documents/Viscosity/server/keys/server.crt
  3. Copy the server key:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/private/server.key C:/Users/your-account-name/Documents/Viscosity/server/keys/server.key
  4. Now generate the encryption (Diffie-Hellman) parameters. Be patient, this process can take up to a few minutes:
    ./easyrsa gen-dh
  5. Copy the Diffie-Hellman file:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/dh.pem C:/Users/your-account-name/Documents/Viscosity/server/keys/dh2048.pem

Generating the Client Credentials

To connect to your OpenVPN server, you need to create client credentials. We will name our client certificate client1. Feel free to use whatever name you prefer.

  1. Create the client credentials that will be used by Viscosity to connect to the OpenVPN server:
    ./easyrsa build-client-full client1 nopass
  2. Copy the client certificate:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/issued/client1.crt C:/Users/your-account-name/Documents/Viscosity/client/keys/client1.crt
  3. Copy the client key:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/private/client1.key C:/Users/your-account-name/Documents/Viscosity/client/keys/client1.key
  4. Copy the CA certificate:
    cp C:/Users/your-account-name/Downloads/EasyRSA-3.0.1/pki/ca.crt C:/Users/your-account-name/Documents/Viscosity/client/keys/ca.crt

These client credentials are ready to be loaded by Viscosity to connect to your OpenVPN server. Your server credentials need to be transferred to the server itself. This will depend on the particular type of server you are setting up. Please see our guides for setting up an OpenVPN server.