5.2.10.5. OpenVPN Certificates Configuration

In the 2SRA use case, the use of OpenVPN as a VPN service requires the use of certificates.

This section shows how to configure CA for OpenVPN.

5.2.10.5.1. Generating a Certificate authority

It is necessary to have a certificate to associate to the Ipsec tunnel that we are going to create in OpenVPN later on. If you already have a Public Key Infrastructure (PKI) you can use your own CA and the server certificates created with it.

If you do not have your own CA or prefer to use a new one, follow these steps:

  1. Access the ON Core via SSH.

  2. Download easy_rsa to /opt and unzip it:

cd /opt
wget -c https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvzf EasyRSA-unix-v3.0.6.tgz

  1. Edit and configure the variables file with the data of your organization:

  • Inside the directory /opt/EasyRSA-v3.0.6/, copy the “vars.example” file with name “vars” and modify its permissions:

cd EasyRSA-v3.0.6/
cp vars.example vars && chmod +x vars
vim vars

  • Edit the newly created file “vars”.

Modify the following parameters accordingly with your organization:

../../../_images/2SRA_CA-1.png


Then you have to modify the expiration time of the CA and the certificates. You will need to uncomment the following lines and adapt the time according to your needs:

../../../_images/2SRA_CA-2.png


Having modified the default data, create your CA by following these steps:

  1. Initialize the PKI environment:

./easyrsa init-pki
../../../_images/2sra26.png


  1. Create your CA: You will need to protect your CA with a strong password (write it down, as it will be needed in the section “GENERATE A VPN SERVER CERTIFICATE USING THE CA”):

./easyrsa build-ca

It will ask you to enter a password and then a Common Name. In this example the Common Name is VPRW_EMMA:

../../../_images/2SRA_CA-4.png


The CA will be available in the /opt/EasyRSA-v3.0.6/pki/ca.crt on the server. Copy it locally for later use.

scp root@<IP>:/opt/EasyRSA-v3.0.6/pki/ca.crt <LocalDirectory>

If you want to check that the certificate was created with the parameters used, use the following command:

openssl x509 -in /opt/EasyRSA-v3.0.6/pki/ca.crt -text -noout

5.2.10.5.2. Creating a new certificate authority

Once you have created the CA, it must be registered in the backend so that it is available to the VPN. To do so, click on the Create new button located at the upper-right corner of the main window. It will display the following configuration window.

../../../_images/new_ca.png


  • Name: Certificate name.

  • Certificate: Copy the certificate in the text field or upload a file with the certificate.

Click on Confirm to load the CA.

Under the three-dot icon at the right end of the certificate row, you can find buttons to edit and delete certificates.