Generating keys
Prev Chapter 7. Configuring openvpn Next

Generating keys

To start with OpenVPN 2.x in server/client mode, you'll have to generate SSL keys and certificate those keys. The table below shows which keys and certificates are necessary on which system

Table 7.1. OpenVPN keys and certificates

OpenVPN ServerOpenVPN Client
CA certificateCA certificate
Server keyClient key
Server certificateClient certificate

If you don't have your own CA the next sections describe how to make one and generate the necessary keys and certificates.

If you have your own existing key generation and CA environment you can use that to generate keys and cerficates for the server and client(s) and install them manually into the directory defined in the configuration file. The only step that you still need to make with the tools described below is the generation of the Diffie-Hellman parameters.

Setup for key generation on your Bering-uClibc box

The package easyrsa.lrp provides you with the necessary scripts to do this part of the configuration. For this demo four steps are necessary:

  1. Configure key generation

  2. Build your own Root Certificate Authority (CA) key and certificate

  3. Build the server key and certificate

  4. Build the client key(s) and certificate(s)

Edit /etc/easy-rsa/vars and change the settings as needed. You should only need to change the values for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG and KEY_EMAIL. Optionally you can change the KEY_SIZE to a greater value.

Change directory into /etc/easyrsa and source

. /etc/easyrsa/vars

(this means: dot blank /etc/easyrsa/vars)

to export the new settings to your environment variables and the command clean-all, if you build the keys the first time.

Build your own Root Certification Authority (CA) certificate/key

With build-ca the ca.crt and ca.key will be built in your KEY_DIR directory.

Build Diffie-Hellmann parameters

This step is necessary for the server end of a SSL/TLS connection. Run build-dh.

Build the server key

The server certificates will be built with the build-key-server script (needs the name as parameter which has to be the same as the common name).

You will be asked to sign the certificate with your ca keys - respond "y".

To save your setup and keys backup openvpnz.lrp.

Build the client key(s)

The last step is to build and sign the client keys.

Therefor run the build-key script with the client name as parameter. This name should also be added if you're asked for the "Common Name" during key generation. Again sign the certificates.

Transfer the generated and signed key (foo.crt, foo.key) plus the generated ca.crt in a secure way to your client(s).

Prev Up Next
Loading the modules Home OpenVPN server side