5.1.10.5. OpenVPN Certificates Configuration

In the 2SRA use case, the use of OpenVPN as a VPN service requires the use of certificates.

This section shows how to configure CA for OpenVPN.

5.1.10.5.1. Certificate Authorities (CA) configurations

Generating a CA

It is necessary to have a certificate to associate to the Ipsec tunnel that we are going to create in OpenVPN later on. If you already have a Public Key Infrastructure (PKI) you can use your own CA and the server certificates created with it.

If you do not have your own CA or prefer to use a new one, follow these steps:

  1. Access the ON Core via SSH.

  2. Download easy_rsa to /opt and unzip it:

cd /opt
wget -c https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvzf EasyRSA-unix-v3.0.6.tgz

  1. Edit and configure the variables file with the data of your organization:

  • Inside the directory /opt/EasyRSA-v3.0.6/, copy the “vars.example” file with name “vars” and modify its permissions:

cd EasyRSA-v3.0.6/
cp vars.example vars && chmod +x vars
vim vars

  • Edit the newly created file “vars”.

Modify the following parameters accordingly with your organization:

../../../_images/2SRA_CA-1.png


Then you have to modify the expiration time of the CA and the certificates. You will need to uncomment the following lines and adapt the time according to your needs:

../../../_images/2SRA_CA-2.png


Having modified the default data, create your CA by following these steps:

  1. Initialize the PKI environment:

./easyrsa init-pki
../../../_images/2sra26.png


  1. Create your CA: You will need to protect your CA with a strong password (write it down, as it will be needed in the section “GENERATE A VPN SERVER CERTIFICATE USING THE CA”):

./easyrsa build-ca

It will ask you to enter a password and then a Common Name. In this example the Common Name is VPRW_EMMA:

../../../_images/2SRA_CA-4.png


The CA will be available in the /opt/EasyRSA-v3.0.6/pki/ca.crt on the server. Copy it locally for later use.

scp root@<IP>:/opt/EasyRSA-v3.0.6/pki/ca.crt <LocalDirectory>

If you want to check that the certificate was created with the parameters used, use the following command:

openssl x509 -in /opt/EasyRSA-v3.0.6/pki/ca.crt -text -noout

5.1.10.5.2. Registering the CA in the VPNGW CMDB

Once you have created the CA, it must be registered in the backend so that it is available to the VPNGW.

For that, we go back to the Administration Portal > VPNGW > CMDB > Certificate Authorities.

../../../_images/certificate_authorities.png


Click on the Add new button and it will display the following window:

../../../_images/add_new_certificate.png


  • Name: Certificate name.

  • Certificate: Copy and paste the content of the CA in this field or click on the Select Certificate file button to upload the file with the CA.

Click on Accept to load the CA.

You can also edit and delete certificates using the correspondent buttons located at the top row of this view.