Using Vault for your OpenVPN PKI

Posted on Aug. 29, 2020 in Sysadmin


Creating client and server certificates using Vault's PKI backend makes OpenVPN setup even easier

Edit: As with most of my posts, I solicit feedback from fellow sysadmins soon after I publish to ensure if I have any typos, misconfigurations, have accidentally pasted in my own passwords/configs in a manner that would compromise my own security (given a lot of my posts follow examples of things I've setup for my own use already), etc. they are rectified. I am human, after all. When doing so for this post, a good friend, Brent, pointed out that I was missing some key components of properly issuing SSL certs for OpenVPN clients and servers. Primarily, the certificate purposes and extended key usages were not set properly. Vault also uses 2048-bit RSA keys by default, but 4096 is a better choice. I've updated the post accordingly, and feel this better reflects a secure deployment, similar in design to what easy-rsa would produce "out of the box." I feel that even though the purpose of this post is to demonstrate how you CAN use Vault as a method for operating a PKI for OpenVPN server/clients, it's important that I provide as complete an example as I can that at least hits minimum security requirements. You would be best to consult other resources in terms of security best-practices, as often they change with regards to things like issuing certs, best cipher suites to use, etc. One such guide is provided by OpenVPN themselves, called Hardening OpenVPN Security. Also note that some of the restrictions placed on a pki role in Vault, like information related to common names, subdomains, allowing localhost, etc. are deployment-dependent, so I recommend you decide on those options for yourself rather than just copy-paste what I've done. The entire PKI API is documented on Vault's website in great detail.

If you've followed any of my previous posts, you know I've turned up a personal instance of Vault. This is awesome because I use it to store passwords and such, but it's even cooler because it's how I'm managing certificates for my OpenVPN server and clients now! Why is this beneficial? Well, there's always easy-rsa - and I highly recommend using it if you don't have Vault at your disposal, but if I've already got Vault set up, why not use it?! I can easily manage my certs through the web interface or using any of the other access methods for Vault, some of which are super easy to use programmatically. I'm going to focus on using the Vault CLI tool here to setup my PKI, as that will be the easiest for someone else to copy-paste, but use whatever method suits you. For the purposes of this post, I will assume you've already read Build Your Own CA from Hashicorp, and as such, I'm not going to generate a root CA, I'll just begin with creating a new intermediate JUST to be used with OpenVPN. For one last, quick note - in a corporate environment or wherever resources allow, you really want to air gap your root CA from any intermediates. The best I can do with a single Vault instance I use just for me is make sure that the user account used to access the root CA can't also access and manage the intermediate(s). You can assume that's what I've done here, though it won't be very obvious from any of my screenshots or other examples. Oh, one last note - you should setup your DNS for the OpenVPN server if you haven't already.

Setting up a Vault-specific Intermediate

Again, just to reiterate, I am assuming here you've already setup your root CA and know how to more or less sign intermediates in Vault. First, we have to enable the new pki backend. I always name any PKI backends with pki_* in my Vault deployments so that I can easily use globbing when creating policy. Obviously if you don't want to give users blanket access to all PKI backends, this is probably less important.

$ vault secrets enable -path=pki_ovpn pki        
Success! Enabled the pki secrets engine at: pki_ovpn/

Next, let's make sure we can issue certs for 5 years. You can change this value to whatever you think is sane. Truth be told, that's about as often as I re-roll my OpenVPN server myself:

$ vault secrets tune -max-lease-ttl=43800h pki_ovpn
Success! Tuned the secrets engine at: pki_ovpn/

Next, we have to actually generate a CSR for the intermediate which we then pass to our root. Make sure you actually have jq installed before you run the following. This will save the CSR to a file so we can pass it to our root in the next step:

$ vault write -format=json pki_ovpn/intermediate/generate/internal \
        common_name="vpn.jthan.io Intermediate Authority" \
        | jq -r '.data.csr' > pki_intermediate.csr

$ vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
        format=pem_bundle ttl="43800h" \
        | jq -r '.data.certificate' > intermediate.cert.pem

Lastly, we want to set our signed certificate for the intermediate using the file we just created in the previous command:

$ vault write pki_ovpn/intermediate/set-signed certificate=@intermediate.cert.pem
Success! Data written to: pki_ovpn/intermediate/set-signed

Now, like a lot of things in Vault we're going to create a rew roles that we later use to issue certificates from our new intermediate. The following assumes you're going to make up "dummy" names within your domain for all of your VPN clients. Use the most appropriate options for your deployment in terms of common names, subdomains, etc. At a minimum, though, we're going to need two roles - one to issue a cert to our server (or servers), and one to issue certs to our clients. The reason for this is because of the extended key usage differing between the two, as well as the distinction of client and server roles in the certificate purposes. First, I create the server role, then the client role:

$ vault write pki_ovpn/roles/jthanio_server \
allowed_domains="jthan.io" \
allow_subdomains=true \
max_ttl="43800h" \
key_bits="4096" \
key_type="rsa" \
allow_any_name=false \
allow_bare_domains=false \
allow_glob_domain=false \
allow_ip_sans=true \
allow_localhost=false \
client_flag=false \
server_flag=true \
enforce_hostnames=true \
key_usage="DigitalSignature,KeyEncipherment" \
ext_key_usage="ServerAuth" \
require_cn=true

Success! Data written to: pki_ovpn/roles/jthanio_server

$ vault write pki_ovpn/roles/jthanio_client \
allow_subdomains=true \
max_ttl="43800h" \
key_bits="4096" \
key_type="rsa" \
allow_any_name=true \
allow_bare_domains=false \
allow_glob_domain=false \
allow_ip_sans=false \
allow_localhost=false \
client_flag=true \
server_flag=false \
enforce_hostnames=false \
key_usage="DigitalSignature" \
ext_key_usage="ClientAuth" \
require_cn=true 

Success! Data written to: pki_ovpn/roles/jthanio_client

That's it. It's only a few commands to setup an entire intermediate in Vault to use for OpenVPN. Now, of course, the next step is to issue some certs and make up our OpenVPN config files. For security reasons I am not going to give you my entire OpenVPN config, but I am going to point out config snippets specifically for the cert portions. I embed my certs into my OpenVPN config files, and I recommend you do the same. It's cleaner and they're easier to distribute on a whole. Also, note: when you issue certs with Vault, the private key is not stored, it is only printed out wherever you issued the cert. If you need it, you should save it for as long as you do, then delete it. If you really want to keep the keys somewhere, setup a separate kv store in Vault and stick them in there. I still don't recommend it though.

Issuing a Certificate and Constructing an OpenVPN config

Okay, like I said, we're going to issue our first cert. I just make up a domain of sorts for each of my OpenVPN clients that fits with their shortname, e.g. my laptop named "shaco" would just become "shaco.jthan.io." Obviously you can see why I like using the command line client for doing this, because I can just iterate through all of my hostnames, save the data to a file, and then delete all the evidence. This is an example for a CLIENT certs, using my jthanio_client role, but be sure to use the server role for generating server certs.

$ vault write pki_ovpn/issue/jthanio_client common_name="shaco.jthan.io" ttl="43800h"
Key                 Value
---                 -----
ca_chain            [-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUHiHvMz4YrHH4sFHafwsCRJiImAswDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwODMwMDI1MTQxWhcNMjUw
ODI5MDI1MjExWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuEfsNtwE
M0p5Gd1egd/pjTJmB5QiCNK63E/XhXxJcUIjz7lvzPppOXOrWpjiqJ2vtySYAMnt
8MyZFQcL17AVksb9ISvLCoLMP+0nzv2hMR+qwH65FrmaT/VdknH5ClMPoScEC0Vq
mUbTAz1RQOpMfxqWDroVH/Z2fU49qwQifjsPh/BAP4tGxgzJn3GTeMvSspt2NYnW
uJ5ZjG66hkfozUMZlOQpswuqakMz0lLdlcfJz5yhTvwfAwi4jt+fV+09F27JXj63
BevptNKJ8jC+iptfd7mPsKmgInTcBPOcC1bgkLJM5d9Ys/X+b0R8ushgK+OynQcy
cc0bHfXmWBobgQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBTz9QuUODQ6+Z8T8XC2JVf+v2eUGzAfBgNVHSMEGDAW
gBTso6Bb9UP1gIjFM6HsPOK+N4P8WzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAJKRcJt+j5zAGe8sU3LVy+up4Mnv5zf4flTQ0DIBW2xJhwZDSN+L
dyS+Oj8bHJIkezE5fVACZx14/bMD5S6I2Kj8iFkFuiGMAEHaz8VC8RxIiln0gfH1
qbJpAPDh/c7L2gzmKNTJiR1S01RLT7P7ZfOBbhRwf6bEsDFh7aEdXMz+kDcX6Xms
y77G8gCa6oxyEtmLTw8/rsqF64XudMYY1QNFT5I14BgA4I+1nFLaZ6PKkj4GVANp
kc2WsRuDUdX2TU4prFWgcKoD6qaeZImcEBh7RG4E79kZo//WIv2pnFR9dQDr2dYB
uwabpRk6lw0TURXu0/6bXVn1rurbZjeO+lc=
-----END CERTIFICATE-----]
certificate         -----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIUFSc6HNgxr56u9bt0cRYs4cII9LAwDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZXhhbXBsZS5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMDA4MzAwMjUyMjlaFw0yMDA4MzEwMjUyNThaMBsxGTAXBgNVBAMTEHRl
c3QuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
CgtD/QkOaRObKeIx2UEt+s5G5m3Cbxs0qg0a5+RID050aPTwpQqCPU9IFyA2uq8c
BBcNRjIozBDfeVq53WBWQCrkf/hMy7FqxDtUS/mvjLgAiBalKI/uR2JPRSyeBDS8
K1Zn3NhaQfpUH2HY0WC0ZMuJlo8NznWsdaXS3cxhQd+Wh47fY3qVjJ2RhRmyzlkP
HpN/XcmGoV3qu6l8nUkaQjQ/z4ZL2Idxj+wG9KwleRKbQ+H4OEVrv4xYtViu5kfO
Ysrh9J4aXVHX6MTEQ+r+MYIdqwHLDT+8xHxt777YHhigXSFO9v/4BIsSJrxkjo3m
ngvhbp5g3FM8z98+OkX7AgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOoMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQULZIoxB3R6fg7vzhh
N+jjUM4PrJswHwYDVR0jBBgwFoAU8/ULlDg0OvmfE/FwtiVX/r9nlBswGwYDVR0R
BBQwEoIQdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAi2msiIOS
UDZla8pvvqkkxGVaVJ6HdrtQekDIwr9TVw+FTHBki7raoLUZercWQ6XR9e5jupIF
c2/oyRPbTC20Er/Pesy1XvowXp0F0QERZjrhoWeaXakWF4030f2qdcMwpSS7EixJ
0kaiZvljdcJ9e+CQ8JUIKHSkRtx1+PWhwdfbVqho0e7s0eXwJw56JP1WCUgbmvYZ
aPgAz0m3iMSfCh4c4Oft7ZPY59Z0VReu05Bz6U/UOljjSUYJw5sBB6bLI/QDe37X
9IwOC81n0bCebYytEov7P72m2QXFXQiRwwSZCEXssGR6QqNGyQtytfPG0yOh2pak
Oc03enrmDqaKEQ==
-----END CERTIFICATE-----
expiration          1598842378
issuing_ca          -----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUHiHvMz4YrHH4sFHafwsCRJiImAswDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwODMwMDI1MTQxWhcNMjUw
ODI5MDI1MjExWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuEfsNtwE
M0p5Gd1egd/pjTJmB5QiCNK63E/XhXxJcUIjz7lvzPppOXOrWpjiqJ2vtySYAMnt
8MyZFQcL17AVksb9ISvLCoLMP+0nzv2hMR+qwH65FrmaT/VdknH5ClMPoScEC0Vq
mUbTAz1RQOpMfxqWDroVH/Z2fU49qwQifjsPh/BAP4tGxgzJn3GTeMvSspt2NYnW
uJ5ZjG66hkfozUMZlOQpswuqakMz0lLdlcfJz5yhTvwfAwi4jt+fV+09F27JXj63
BevptNKJ8jC+iptfd7mPsKmgInTcBPOcC1bgkLJM5d9Ys/X+b0R8ushgK+OynQcy
cc0bHfXmWBobgQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBTz9QuUODQ6+Z8T8XC2JVf+v2eUGzAfBgNVHSMEGDAW
gBTso6Bb9UP1gIjFM6HsPOK+N4P8WzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAJKRcJt+j5zAGe8sU3LVy+up4Mnv5zf4flTQ0DIBW2xJhwZDSN+L
dyS+Oj8bHJIkezE5fVACZx14/bMD5S6I2Kj8iFkFuiGMAEHaz8VC8RxIiln0gfH1
qbJpAPDh/c7L2gzmKNTJiR1S01RLT7P7ZfOBbhRwf6bEsDFh7aEdXMz+kDcX6Xms
y77G8gCa6oxyEtmLTw8/rsqF64XudMYY1QNFT5I14BgA4I+1nFLaZ6PKkj4GVANp
kc2WsRuDUdX2TU4prFWgcKoD6qaeZImcEBh7RG4E79kZo//WIv2pnFR9dQDr2dYB
uwabpRk6lw0TURXu0/6bXVn1rurbZjeO+lc=
-----END CERTIFICATE-----
private_key         -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArwoLQ/0JDmkTmyniMdlBLfrORuZtwm8bNKoNGufkSA9OdGj0
8KUKgj1PSBcgNrqvHAQXDUYyKMwQ33laud1gVkAq5H/4TMuxasQ7VEv5r4y4AIgW
pSiP7kdiT0UsngQ0vCtWZ9zYWkH6VB9h2NFgtGTLiZaPDc51rHWl0t3MYUHfloeO
32N6lYydkYUZss5ZDx6Tf13JhqFd6rupfJ1JGkI0P8+GS9iHcY/sBvSsJXkSm0Ph
+DhFa7+MWLVYruZHzmLK4fSeGl1R1+jExEPq/jGCHasByw0/vMR8be++2B4YoF0h
Tvb/+ASLEia8ZI6N5p4L4W6eYNxTPM/fPjpF+wIDAQABAoIBAH8fz1DAfAxQOiIN
yC6l95WaOqf5gKuen+aevkfVNNE09KjM9V+0ra4rMuJLkWTOLpEtU0Sbv6ArnPGA
pGiqo+XgUoaDfmTf5umAvQoa56sciyIvtCqdC/NlOrwRpDbbHSWwX9+s4CClHFZu
OFUMs6wwLDav9xNy57mp9BXyahYTWwBjVv9PwU/jwhLTGHgvow5BRm31xvKcmzTM
xxtR/9Z8/a8ekLJyJfOOI+pUs+I1Zjbb+rkGHhY1KA3Vxune/wI9KZLSWHcMZZp8
mAavre6u0OPy7rw1QZvUsebndgBFEdIXnhGloHcFjDi1IYsJzygQsJO8McdYM2Hh
uzVvMOECgYEA0pV8sj2xja9ZIsWW6pFrVdzVAGZ0YSZmWjyNJCea5Ldzpw8ho0du
sEtDebUgzBBJxTyH5TSWajhS7PUEP9aU6L+0Ykk8ibsbPs3z1bHB6gEs5jjwmysz
uJAR4JPsPy91Qx8HPfdjeV8eEZDXBFRr4ow/YryjEcixCY1Vv6vJx3ECgYEA1Moa
zTafEgdi0OMP+F7YoMVI/tPDx8GGQUtQfIsHw69PuG1fyWZBH4TPF8qvMsAo+vAb
xm+gYGce/PLEEt8S37hnbJ1Hy/LYOOCQFv1s/J0a0EwgC5e7zrajYNtrvr08uzK5
/HwwdXEYEYFY3zDNb3QUbGAROutMlQhDuYvrJisCgYEA0F3n/7n5yNc7XKOke7+e
NFyJSpcWCtbjKeCGS8MAidVYE3Jud1CEHt6qCnCF3kUzqX0Gfm41cy7+JsceCEi8
GT0vMJ2E0EeaYt+IqOb1mCTHl5m5wd/SkonDlrLnbXH5FoxKLy9tdzf92aW2i+s4
wPbC9WDv/fXV7zyxHzHNO5ECgYEA1LR+XBo4okX90j7XjPgKZZMwJ4K5lultccF+
YDB9/280KnAyqtjrSj1w4iB6RyntDQKNUSvuTc9nG4T02MRiUn477EfAKC/FUf2w
KzsDAfVtg0BFXDE9zCGnaT+NEaqKlbncTnY53nvBimYY12oqQTnw3HCfaJ0i/Wq4
gDZMRecCgYBnQJp4x1swZzV2xWejqQL2HaqJqx5rHChYImD03ShjmnxQ2HZJ9u9F
l09cKgMiVjX6n++g0tUQ2SpQr/ZlTCNANPn6vD9+pmG4bS9D+R2fcIHSz8tgIdW5
zwZPA5/znkQQxHTeM05r09AVxh84IG1aF8/8plENehMOgxIDhEdh+w==
-----END RSA PRIVATE KEY-----
private_key_type    rsa
serial_number       15:27:3a:1c:d8:31:af:9e:ae:f5:bb:74:71:16:2c:e1:c2:08:f4:b0

What you get back from this command is a ca_chain, a certificate, a private_key value, information about expiry, etc. The output you see here is just dummy data, and isn't actually from my deployment, so don't worry. One thing to note is that if you look at the ca_chain and issuing_ca values, they're the same. This is because Vault assumes the root CA is going to be trusted at an OS level, or may be external to Vault, therefore it isn't included in the chain. For our purposes here, though, we need to prepend the root cert to paste into our OpenVPN configurations, thus your <ca> block should have two certificates in it - first the root CA, then your intermediate (which was included in our previous output). In final, your ca, cert, and key blocks should look similar to the following:

<ca>
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUMS9RTQlNNr9ekk928heYoqHm9S8wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwODMwMDI1MTEyWhcNMzAw
ODI4MDI1MTQxWjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANQOszc2rvBjj6/CjwQCh3z0HI28Cp5tfr4J1DoP
8xfHDL180hJ9/Yd+WQx7ka2qhzZMQ2aOFDKYFzxeifBc6C5n/7/VHVmsxF4+qHaS
fJ1ZPAeN8fV/1uXuPcBQGZfO811TdjJzgFQXkX2FuyHije7QsyZqM10y7Cw7UOgU
Vm0XzunWRxYduNThWmypTJNyLgCIZ+5vWtb5Kofs1yhVmd7aBiWH2RBY6yqQXDoW
4IrDwYxTWYSsZcTf5ik8oWh2RNA6Tmq1puGL3elr4lsJY4NjpzyfIcAv48ykqXQ5
Y0dB6JMP3Etm9u27QAZeeO3ISyR+r44F2TPZel9HFGqc4TECAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOyjoFv1Q/WA
iMUzoew84r43g/xbMB8GA1UdIwQYMBaAFOyjoFv1Q/WAiMUzoew84r43g/xbMBYG
A1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBizPHPRcbG
IMw4Lzszb1cxyz9sdEu+n7KwJP10w+REFZp292AnZI4GdTfYSt+SOp1GmVPGrAU+
+ll4WAhMn/Q+n1+5N7lX/v2adStAEpXe8EWJAN032UA43Zji99MJHFUyGyx0jSko
HAEDba6rXtEdKikZaHPjfavpUlRjtBU6du0hhdOTA39Dj5CqRSVNEDP/1PwBZEGW
crzlYBx8hxtV+fieeD1bIXkTN1EMef1XhbVKDppr+MW/IA5mdcQ7cnLQAJjxN0di
UfcPTBKcFGDD9fo9jx6aDX/IAS70NYvTZphjck+1qNu+bdoZcs2joiK9op31uHVZ
iGEeK+pNrJLL
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIUHiHvMz4YrHH4sFHafwsCRJiImAswDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjAwODMwMDI1MTQxWhcNMjUw
ODI5MDI1MjExWjAtMSswKQYDVQQDEyJleGFtcGxlLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuEfsNtwE
M0p5Gd1egd/pjTJmB5QiCNK63E/XhXxJcUIjz7lvzPppOXOrWpjiqJ2vtySYAMnt
8MyZFQcL17AVksb9ISvLCoLMP+0nzv2hMR+qwH65FrmaT/VdknH5ClMPoScEC0Vq
mUbTAz1RQOpMfxqWDroVH/Z2fU49qwQifjsPh/BAP4tGxgzJn3GTeMvSspt2NYnW
uJ5ZjG66hkfozUMZlOQpswuqakMz0lLdlcfJz5yhTvwfAwi4jt+fV+09F27JXj63
BevptNKJ8jC+iptfd7mPsKmgInTcBPOcC1bgkLJM5d9Ys/X+b0R8ushgK+OynQcy
cc0bHfXmWBobgQIDAQABo4HUMIHRMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBTz9QuUODQ6+Z8T8XC2JVf+v2eUGzAfBgNVHSMEGDAW
gBTso6Bb9UP1gIjFM6HsPOK+N4P8WzA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUH
MAKGH2h0dHA6Ly8xMjcuMC4wLjE6ODIwMC92MS9wa2kvY2EwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3BraS9jcmwwDQYJKoZIhvcN
AQELBQADggEBAJKRcJt+j5zAGe8sU3LVy+up4Mnv5zf4flTQ0DIBW2xJhwZDSN+L
dyS+Oj8bHJIkezE5fVACZx14/bMD5S6I2Kj8iFkFuiGMAEHaz8VC8RxIiln0gfH1
qbJpAPDh/c7L2gzmKNTJiR1S01RLT7P7ZfOBbhRwf6bEsDFh7aEdXMz+kDcX6Xms
y77G8gCa6oxyEtmLTw8/rsqF64XudMYY1QNFT5I14BgA4I+1nFLaZ6PKkj4GVANp
kc2WsRuDUdX2TU4prFWgcKoD6qaeZImcEBh7RG4E79kZo//WIv2pnFR9dQDr2dYB
uwabpRk6lw0TURXu0/6bXVn1rurbZjeO+lc=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIUFSc6HNgxr56u9bt0cRYs4cII9LAwDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZXhhbXBsZS5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMDA4MzAwMjUyMjlaFw0yMDA4MzEwMjUyNThaMBsxGTAXBgNVBAMTEHRl
c3QuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
CgtD/QkOaRObKeIx2UEt+s5G5m3Cbxs0qg0a5+RID050aPTwpQqCPU9IFyA2uq8c
BBcNRjIozBDfeVq53WBWQCrkf/hMy7FqxDtUS/mvjLgAiBalKI/uR2JPRSyeBDS8
K1Zn3NhaQfpUH2HY0WC0ZMuJlo8NznWsdaXS3cxhQd+Wh47fY3qVjJ2RhRmyzlkP
HpN/XcmGoV3qu6l8nUkaQjQ/z4ZL2Idxj+wG9KwleRKbQ+H4OEVrv4xYtViu5kfO
Ysrh9J4aXVHX6MTEQ+r+MYIdqwHLDT+8xHxt777YHhigXSFO9v/4BIsSJrxkjo3m
ngvhbp5g3FM8z98+OkX7AgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOoMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQULZIoxB3R6fg7vzhh
N+jjUM4PrJswHwYDVR0jBBgwFoAU8/ULlDg0OvmfE/FwtiVX/r9nlBswGwYDVR0R
BBQwEoIQdGVzdC5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAi2msiIOS
UDZla8pvvqkkxGVaVJ6HdrtQekDIwr9TVw+FTHBki7raoLUZercWQ6XR9e5jupIF
c2/oyRPbTC20Er/Pesy1XvowXp0F0QERZjrhoWeaXakWF4030f2qdcMwpSS7EixJ
0kaiZvljdcJ9e+CQ8JUIKHSkRtx1+PWhwdfbVqho0e7s0eXwJw56JP1WCUgbmvYZ
aPgAz0m3iMSfCh4c4Oft7ZPY59Z0VReu05Bz6U/UOljjSUYJw5sBB6bLI/QDe37X
9IwOC81n0bCebYytEov7P72m2QXFXQiRwwSZCEXssGR6QqNGyQtytfPG0yOh2pak
Oc03enrmDqaKEQ==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArwoLQ/0JDmkTmyniMdlBLfrORuZtwm8bNKoNGufkSA9OdGj0
8KUKgj1PSBcgNrqvHAQXDUYyKMwQ33laud1gVkAq5H/4TMuxasQ7VEv5r4y4AIgW
pSiP7kdiT0UsngQ0vCtWZ9zYWkH6VB9h2NFgtGTLiZaPDc51rHWl0t3MYUHfloeO
32N6lYydkYUZss5ZDx6Tf13JhqFd6rupfJ1JGkI0P8+GS9iHcY/sBvSsJXkSm0Ph
+DhFa7+MWLVYruZHzmLK4fSeGl1R1+jExEPq/jGCHasByw0/vMR8be++2B4YoF0h
Tvb/+ASLEia8ZI6N5p4L4W6eYNxTPM/fPjpF+wIDAQABAoIBAH8fz1DAfAxQOiIN
yC6l95WaOqf5gKuen+aevkfVNNE09KjM9V+0ra4rMuJLkWTOLpEtU0Sbv6ArnPGA
pGiqo+XgUoaDfmTf5umAvQoa56sciyIvtCqdC/NlOrwRpDbbHSWwX9+s4CClHFZu
OFUMs6wwLDav9xNy57mp9BXyahYTWwBjVv9PwU/jwhLTGHgvow5BRm31xvKcmzTM
xxtR/9Z8/a8ekLJyJfOOI+pUs+I1Zjbb+rkGHhY1KA3Vxune/wI9KZLSWHcMZZp8
mAavre6u0OPy7rw1QZvUsebndgBFEdIXnhGloHcFjDi1IYsJzygQsJO8McdYM2Hh
uzVvMOECgYEA0pV8sj2xja9ZIsWW6pFrVdzVAGZ0YSZmWjyNJCea5Ldzpw8ho0du
sEtDebUgzBBJxTyH5TSWajhS7PUEP9aU6L+0Ykk8ibsbPs3z1bHB6gEs5jjwmysz
uJAR4JPsPy91Qx8HPfdjeV8eEZDXBFRr4ow/YryjEcixCY1Vv6vJx3ECgYEA1Moa
zTafEgdi0OMP+F7YoMVI/tPDx8GGQUtQfIsHw69PuG1fyWZBH4TPF8qvMsAo+vAb
xm+gYGce/PLEEt8S37hnbJ1Hy/LYOOCQFv1s/J0a0EwgC5e7zrajYNtrvr08uzK5
/HwwdXEYEYFY3zDNb3QUbGAROutMlQhDuYvrJisCgYEA0F3n/7n5yNc7XKOke7+e
NFyJSpcWCtbjKeCGS8MAidVYE3Jud1CEHt6qCnCF3kUzqX0Gfm41cy7+JsceCEi8
GT0vMJ2E0EeaYt+IqOb1mCTHl5m5wd/SkonDlrLnbXH5FoxKLy9tdzf92aW2i+s4
wPbC9WDv/fXV7zyxHzHNO5ECgYEA1LR+XBo4okX90j7XjPgKZZMwJ4K5lultccF+
YDB9/280KnAyqtjrSj1w4iB6RyntDQKNUSvuTc9nG4T02MRiUn477EfAKC/FUf2w
KzsDAfVtg0BFXDE9zCGnaT+NEaqKlbncTnY53nvBimYY12oqQTnw3HCfaJ0i/Wq4
gDZMRecCgYBnQJp4x1swZzV2xWejqQL2HaqJqx5rHChYImD03ShjmnxQ2HZJ9u9F
l09cKgMiVjX6n++g0tUQ2SpQr/ZlTCNANPn6vD9+pmG4bS9D+R2fcIHSz8tgIdW5
zwZPA5/znkQQxHTeM05r09AVxh84IG1aF8/8plENehMOgxIDhEdh+w==
-----END RSA PRIVATE KEY-----
</key>

Closing Remarks

First off, I'd like to note that depending on your situation it might make sense to have your client certs or even the entire intermediate expire much sooner than 5 years. Aside from this, though, the process is fairly straightforward and it's a great alternative to easy-rsa. Don't forget you need a cert for your server and each client you intend to have on the VPN!

Search


← Return to previous page