Openvpn access server config import
Pick a number that makes sense to you, and for your application. But I don’t want them to last indefinitely either. For my home network, I don’t want to keep having to issue certificates every year, and reinstalling them. There’s a balance between security and usability in terms of setting an expatriation length. If you check no well-defined expiration the certificates will remain valid effectively indefinitely. It’s useful here to set a time range if you want the certificates to be valid for more than a year by default. OpenVPN Server, and OpenVPN Client are good names, but anything will do. You’ll need to setup 2 templates, one or the server certificate and one for the client certificates. Set the Internal Name value to what you want to call the template.
OpenVPN only cares about the commonName parameter, but that has to be set specifically and differently for each client certificate. On the first tab we can setup subject related parameters. This will pop up a window asking what preset template value to start with.
#Openvpn access server config import plus#
Plus there are some things we might not want to have to fill in all the time too.
OpenVPN requires that the certificates have certain key usage paramters set for either client or server usage. digital signature, web client auth, web server auth, etc.). TLS certificates have various parameters that dictate what they can be used for (i.e. You can download XCA from their official project page at: īefore you get started, you should change the default hashing algorithm from SHA1 to SHA256. And I find it far more convenient to use than OpenSSL since I can point and click my way through what I need to get done. XCA is a cross platform graphical key and certificate management tool.
#Openvpn access server config import how to#
Most OpenVPN guides tell you how to do this using OpenSSL and it’s associated long cryptic commands. I like my method better. To do this you need to setup a certificate authority and sign and issue your own certificates. TLS certificates are the preferred way if you can manage them, as they make it possible to revoke access to devices without having to change the shared secret for every other device. There are two ways to setup client auth in OpenVPN, a shared secret and TLS certificates. So I figured it out again, and this time I’m writing it down. Then my certs expired, and I’d forgotten what to do. I did this a couple of years ago, with certificates that had a 1 year expiry date.