This is the approved revision of this page, as well as being the most recent.
This article provides a guide on how to generate your own TLS certificates and keys for OpenVPN connection that uses TLS authentication. This guide is aimed at Windows users. Step 1: installing OpenVPN software edit edit source The first thing that we'll need to do is install the necessary OpenVPN software.
Introduction[edit | edit source]
Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a computer network and is also the successor to SSL.
- Oct 20, 2017 All the generated files will now be located in the keys/ subdirectory. Once again, make SURE you copy these in a safe location! You now have all the required keys and certificates to configure your OpenVPN server. If you need additional information, take a look at this excellent tutorial designed for Tomato.-no edit made.
- May 18, 2014 The vars.bat file is a variable file that OpenVPN uses to build the certificates and keys. We must edit some of these variables using a text editor. You can use Microsoft NotePad, but I prefer Notepad. Minimize your command prompt window but don’t close it because we’ll need it again after we edit the vars.bat file.
License key generator free. The TLS protocol aims primarily to provide privacy and data integrity between two communicating computer applications. When secured by TLS, connections between a client and a server have one or more of the following properties:
- The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session. The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted. The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
- The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server).
- The connection ensures integrity because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.
This article provides a guide on how to generate your own TLS certificates and keys for OpenVPN connection that uses TLS authentication. This guide is aimed at Windows users.
Generating Openvpn Certificates And Keys 2017
Step 1: installing OpenVPN software[edit | edit source]
- The first thing that we'll need to do is install the necessary OpenVPN software. You can download the OpenVPN installer file from here.
Simply run the downloaded file and follow the instructions of the installation guide. - Important note: at one point before the installation begins, you will be prompted to select which components should be included in the installation. Make sure to select EasyRSA as it will be needed later on to generate keys and certificates. You can leave the rest as defaults:
Step 2: preparing EasyRSA[edit | edit source]
Openvpn Generate Server Key
- Now we can start preparing to generate certificates and keys. For this we'll be using the EasyRSA application that was installed along with OpenVPN.
EasyRSA commands have to be executed via the Windows Command Prompt. It can be opened by typing cmd in the Windows search bar (Windows button + S). When you launch it, make sure you run it as administrator: - Change the current directory to the EasyRSA folder. To do so, execute this command:
- Initialize the OpenVPN configuration with the following command:
- Open the vars.bat file with the Notepad text editor:
- This is the template file for generating certificates, i.e., the information stored here will be offered as default values during certificate generation. Locate and edit the following lines in accordance with your needs:
- You can also set the key size for the Diffie Hellman parameters:
- Once you're done, save the file and close the editor
- Run the following commands:
Step 3: generating certificates and keys[edit | edit source]
- Now we can start generating the certificates and keys. Begin with the certificate authority (CA) - the root certificate file that will be used to sign other certificates and keys: NOTE: you can press the 'Enter' key when prompted to enter the values set in the vars.bat file earlier. Doing this will set the values to the default specified in vars.bat. However, you should type in a meaningful Common Name.
- Next, build the server certificate and key: NOTE: once again, don't forget to specify a different Common Name (use the name 'server' for easier management purposes). When prompted the sign and commit the certificate, type y and press 'Enter'.
- Next, build certificates and keys for the clients: TIP: use the same Common Name as the certificate name (Client1 in this example). This will help you differentiate between clients easier. Pick meaningful names like 'toms_PC', 'company_maintenance', etc. Repeat this step as many times as you need, depending on the client quantity.
- Lastly, generate Diffie Hellman parameters:
Retrieved from 'https://wiki.teltonika-networks.com/wikibase/index.php?title=How_to_generate_TLS_certificates_(Windows)%3F&oldid=28690'
It is possible to generate your certificates on the router itself if you don't have access to a Linux machine, or if you don't have a Windows client installed with Easy-RSA. Easy-RSA is a simple to use environment that is bundled with OpenVPN, and has been included in Asuswrt-Merlin.
Setting up the environment
The first step is to initialize your work environment. Ideally this should be done on a USB disk (formatted to ext2, ext3 or ext4 (for ARM-based devices)), but it can be done in /tmp (make sure you DO keep a copy of everything generated there, because it will be lost the next time you reboot the router!). For this example, we will be using a USB disk mounted under /mnt/sda1. First, copy the easy-rsa scripts by running the following command:
setuprsa.sh /mnt/sda1
This will create an easy-rsa folder on your USB disk, and copy all the required scripts there. Then, enter that new directory:
cd /mnt/sda1/easy-rsa
Now step you will probably want to change the default values offered while generating the certificates. Edit the file named 'vars', either through the built-in 'vi' editor (not recommended for novice users), or by installing the 'nano' editor using Optware, or simply by copying the file edited on your computer. The only fields you might want to change are these:
- export KEY_COUNTRY='US'
- export KEY_PROVINCE='CA'
- export KEY_CITY='SanFrancisco'
- export KEY_ORG='Fort-Funston'
- export KEY_EMAIL='[email protected]'
- export [email protected]
- export KEY_CN=changeme
- export KEY_NAME=changeme
- export KEY_OU=changeme
You can also adjust the expiration date for keys if desired. I do not recommend changing the expiration date for the CA, neither the key size - increasing from 1024 bytes will have a performance impact.
Once done, setup the environment by running the script this way:
source ./vars
There, initialize the environment:
./clean-all
Your environment is now ready to be used to generate your certificates.
Generating the certificates
First, you need to generate your Certificate Authority (CA). This will be the 'master' key and certificate, which will be used to sign all client certificates, or revoke their access. Make sure you store this in a safe, secure location (preferably NOT on the router itself!). To generate the CA pair:
./build-ca
The Common Name (CN) is the most important field, as it will be what identifies your router.
Now, we need to build a router key/certificate pair:
./build-key-server server1
Use any name you want instead of 'server1 Generate private key from pem file online. ', but make sure that when asked for the Common Name that you enter the exact same name. When asked to sign and to commit the new certificate, answer 'y' to both questions.
Next, let's build one client key/certificate pair. Same procedure (and once again pay attention to the Common Name, which must match the name you are specifying here instead of client1):
./build-key client1
You can create as many client keypairs as you need. The CA file will be what determines which keys are allowed to connect.
One last thing - we need to generate the Diffie Hellman parameters (DH file), which is used to secure the key exchange between client and router. Run the following command:
./build-dh
This operation can take a minute or two due to the low performance of the router's CPU (compared to a desktop).
All the generated files will now be located in the keys/ subdirectory. Once again, make SURE you copy these in a safe location! You now have all the required keys and certificates to configure your OpenVPN server.
If you need additional information, take a look at this excellent tutorial designed for Tomato.
-no edit made-