Articles in this section

See more

OpenVPN: Creating certificates from Windows

Rey Lamuri
  • Updated
Follow

Download and install OpenVPN from http://www.openvpn.net/release/openvpn-2.1.3-install.exe

 

Preparatory Steps

Edit section
  1. Navigate to the "C:\Program Files\OpenVPN\easy-rsa"  folder or if you are on x64 "C:\Program Files (x86)\OpenVPN\easy-rsa" in the command prompt:
    1. Press Windows Key + R
    2. Type "cmd.exe" and press Enter. 
      cmd.exe
    3. Navigate to the correct folder whether it's x32 or x64 system: 
      cd "C:\Program Files\OpenVPN\easy-rsa"
    4. cd "C:\Program Files (x86)\OpenVPN\easy-rsa"
  1. Initialize the OpenVPN configuration: 
    init-config
    • NOTE: Only run init-config once, during installation.
  1. Open the vars.bat file in a text editor: 
    notepad vars.bat
  1. Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information: 
    set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=OpenVPN
set KEY_EMAIL=mail@host.domain
  1. Save the file and exit notepad.
  1. Run the following commands: BE CAREFUL this will remove all certificates from the keys directory.
    vars

    clean-all

Building Certificate Authority

  1. The certificate authority (CA) certificate and key: Run the following command and it will create the ca.crt and ca.key file in the keys directory.
    build-ca
    • When prompted, enter your country, etc. These will have default values, which appear in brackets. For your "Common Name," a good choice is to pick a name to identify your company's Certificate Authority. For example, "OpenVPN-CA": 
      Country Name (2 letter code) [US]:
      State or Province Name (full name) [CA]:
      Locality Name (eg, city) [SanFrancisco]:
      Organization Name (eg, company) [OpenVPN]:
      Organizational Unit Name (eg, section) []:
      Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
      Email Address [mail@host.domain]:

Building Server Certificates

  1. The server certificate and key: Run the following command and it will create the server1.crt and server1.key files in the keys directory.
    build-key-server server1
    • When prompted, enter the "Common Name" as "server1"
    • When prompted to sign the certificate, enter "y"
    • When prompted to commit, enter "y"
  1. If you have multiple servers you can create additional server certificate with the above commands.
    build-key-server server2

  1. Generate Diffie Hellman parameters (This is necessary to set up the encryption). This creates the dh1024.pem file

    build-dh

Building Client Certificates

  1. Client certificates and keys: This will create the mike-laptop.crt and mike-laptop.key files in the keys directory.
  2. For each client, choose a name to identify that computer, such as "mike-laptop" in this example.
    build-key mike-laptop
    • When prompted, enter the "Common Name" as the name you have chosen (e.g. "mike-laptop")

    • Repeat this step for each client computer that will connect to the VPN.

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk