ImportantIf you are using an external CA, this tutorial does not cover how to configure or apply Access Server’s required v3 extensions during the certificate signing. Follow your CA’s documentation for extension handling.
VPN clients rely on the CA certificate to validate the server. If the CA certificate expires, client connections will fail until it is replaced.
ImportantFuturex can’t provide support for issues arising from the use of an external CA; refer to your CA’s documentation for guidance on extension handling and certificate issuance.
Set FXPKCS11 environment variables
Export the PKCS #11 module path:export FXPKCS11_MODULE=/usr/local/lib/fxpkcs11/libfxpkcs11.so
Connect to the Access Server console and get root privileges.
Edit the as.conf for external PKI usage:nano /usr/local/openvpn_as/etc/as.conf
Comment out certs_db:# certificates database
# certs_db=sqlite:///~/db/certs.db
Save and exit the file — Ctrl-X, Y, then Enter.
- Access Server no longer uses the certificate database. Instead, an external system must handle this.
Generate the CA key on CryptoHub
We use OpenSSL to generate the files. Skip this section if you’re using an external CA.
We’re storing the files in the root directory.
Generate the private key:pkcs11-tool --module $FXPKCS11_MODULE --login --key-type rsa:2048 --pin "$(cat /root/pkcs11-pin.txt)" --label "OpenVPN-CA-Key" --id 01 --keypairgen --usage-sign
Generate the PKCS #11 URI reference file for the CA key:python3 ~/src/pkcs11-provider/tools/uri2pem.py "pkcs11:token=Futurex;object=OpenVPN-CA-Key;type=private" > /root/ca.key
python3 /usr/local/src/pkcs11-provider/tools/uri2pem.py "pkcs11:token=Futurex;object=OpenVPN-CA-Key;type=private" > /root/ca.key
Generate the CA certificate:openssl req -new -x509 -provider pkcs11 -provider-path $FXPKCS11_MODULE -key ca.key -out ca.crt -days 3650 -subj "/CN=OpenVPN_CA"
From the above commands, you get two files:
- CA key (
ca.key)
- CA certificate (
ca.crt)
Create OpenSSL configuration for the server certificate
ImportantThis tutorial assumes openssl.cnf is located in /usr/lib/ssl/. Update the path in the following commands accordingly.
Copy the default OpenSSL configuration file to a new file named openssl-server.cnf:OUT="/usr/lib/ssl/openssl-server.cnf"
cp /usr/lib/ssl/openssl.cnf "$OUT"
Update the [ req ] section:sed -i '/^[ req ]/,/^[/{/req_extensions/ d}' "$OUT"
sed -i '/^[ req ]/,/^[/{/x509_extensions/ a\
req_extensions = v3_req
}' "$OUT"
Update the [ v3_req ] section:sed -i '/^[ v3_req ]/,/^[/{s/basicConstraints.*/basicConstraints = critical, CA:FALSE/}' "$OUT"
sed -i '/^[ v3_req ]/,/^[/{s/keyUsage.*/keyUsage = critical, digitalSignature, keyEncipherment/}' "$OUT"
sed -i '/^[ v3_req ]/,/^[/{/extendedKeyUsage/ d}' "$OUT"
sed -i '/keyUsage = critical, digitalSignature, keyEncipherment/ a\
extendedKeyUsage = serverAuth
' "$OUT"
Create OpenSSL configuration for the client certificate
ImportantThis tutorial assumes openssl.cnf is located in /usr/lib/ssl/. Update the path in the following commands accordingly.
Copy the default OpenSSL configuration file to a new file named openssl-client.cnf:OUT="/usr/lib/ssl/openssl-client.cnf"
cp /usr/lib/ssl/openssl.cnf "$OUT"
Update the [ req ] section:sed -i '/^[ req ]/,/^[/{/req_extensions/ d}' "$OUT"
sed -i '/^[ req ]/,/^[/{/x509_extensions/ a\
req_extensions = v3_req
}' "$OUT"
Update the [ v3_req ] section:sed -i '/^[ v3_req ]/,/^[/{s/basicConstraints.*/basicConstraints = critical, CA:FALSE/}' "$OUT"
sed -i '/^[ v3_req ]/,/^[/{s/keyUsage.*/keyUsage = critical, digitalSignature/}' "$OUT"
sed -i '/^[ v3_req ]/,/^[/{/extendedKeyUsage/ d}' "$OUT"
sed -i '/^[ v3_req ]/,/^[/{/nsCertType/ d}' "$OUT"
sed -i '/keyUsage = critical, digitalSignature/ a\
extendedKeyUsage = clientAuth
' "$OUT"
sed -i '/extendedKeyUsage = clientAuth/ a\
nsCertType = client
' "$OUT"
Generate the server key and certificate
We’re storing the files in the root directory.
ImportantThis tutorial assumes openssl.cnf is located in /usr/lib/ssl/. Update the path in the following commands accordingly.
Generate the server private key on CryptoHub:pkcs11-tool --module $FXPKCS11_MODULE --login --key-type rsa:2048 --pin "$(cat /root/pkcs11-pin.txt)" --label "OpenVPN-Server-Key" --id 02 --keypairgen --usage-sign
Generate the PKCS #11 URI reference file for the server key:python3 ~/src/pkcs11-provider/tools/uri2pem.py "pkcs11:token=Futurex;object=OpenVPN-Server-Key;type=private" > server.key
python3 /usr/local/src/pkcs11-provider/tools/uri2pem.py "pkcs11:token=Futurex;object=OpenVPN-Server-Key;type=private" > server.key
Generate the server CSR:openssl req -new -key server.key -out server.csr -subj "/CN=OpenVPN Server" -config /usr/lib/ssl/openssl-server.cnf
Sign the server certificate:openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extfile /usr/lib/ssl/openssl-server.cnf -extensions v3_req
From the above commands, you get three files:
- Server key (
server.key)
- Server certificate (
server.crt)
- Server CSR (
server.csr)
Generate the client certificate and package
We’re storing the files in the root directory.
ImportantThis tutorial assumes openssl.cnf is located in /usr/lib/ssl/. Update the path in the following commands accordingly.
Generate the client private key:openssl genpkey -algorithm RSA -out client.key -pkeyopt rsa_keygen_bits:2048
Generate the client CSR:The Common Name you define while generating the client CSR must match the name of the user you create in the OpenVPN Access Server admin portal.For example, in the command above, we set /CN=etest in the -subj flag. So the user name would need to be “etest”.
openssl req -new -key client.key -out client.csr -subj "/CN=etest" -config /usr/lib/ssl/openssl-client.cnf
(Optional) Generate the client CSR compatible with auto-login:openssl req -new -key client.key -out client.csr -subj "/role=AUTOLOGIN/CN=etest" -config /usr/lib/ssl/openssl-client.cnf
Sign the client certificate:openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -extfile /usr/lib/ssl/openssl-client.cnf -extensions v3_req
Create the P12 bundle:openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -out etest.p12 -name "etest"
Enter the P12 password when prompted.
- From the above commands, you get four files:
- Client key (
client.key)
- Client certificate (
client.crt)
- Client CSR (
client.csr)
- Client P12 file (
etest.p12)