Skip to main content
These steps are typically performed by the OpenVPN Access Server Admin. See Underlying Responsibility Roles for more information.
In this section, we will edit the client connection profile (.ovpn file) to prepare it for the PKCS #11 integration with the Futurex CryptoHub.
If your OpenVPN Access Server instance is integrated with CryptoHub, skip this section and continue on.

Extract the CA Certificate, Client Certificate, and Client Private Key

1
Extract the individual certificate components from the generated .ovpn file:
sed -n '/<ca>/,/<\/ca>/p' futurex_profile.ovpn | sed '1d;$d' > ca.crt

sed -n '/<cert>/,/<\/cert>/p' futurex_profile.ovpn | sed '1d;$d' > client.crt

sed -n '/<key>/,/<\/key>/p' futurex_profile.ovpn | sed '1d;$d' > client.key
You should now have four files:
  1. The client connection profile (futurex-profile.ovpn).
  2. The CA certificate (ca.crt).
  3. The client certificate (client.crt).
  4. The client private key (client.key).
2
Remove the embedded certificate and key blocks from the .ovpn file:
sed -i '/<cert>/,/<\/cert>/d' futurex_profile.ovpn
sed -i '/<key>/,/<\/key>/d' futurex_profile.ovpn
Verify the removal was successful:
grep -E "<cert>|<key>" futurex_profile.ovpn
If the command returns nothing, the removal was successful.
3
Create a PKCS #12 file containing the client certificate and private key:
openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -out futurex.p12 -name "futurex_client"
Replace futurex.p12 with the name that you would like the .p12 to be stored as and futurex_client with a name that identifies the client certificate.
This command will prompt you to set an export password. This password will be provided to the end user so they can import the PKCS #12 file into the CryptoHub in the next sub-section.
4
Package the following file for the CryptoHub admin:
  • futurex.p12: PKCS #12 file containing the client certificate and private key (used for importing into the CryptoHub)
    After packing the futurex.p12 file, securely delete the original client.key file from your system to prevent unauthorized access to the private key. The futurex.p12 file is password-protected, but it’s crucial to minimize the risk of exposure.
  • Export password: The password you set when exporting the PKCS #12 file, which will be needed for importing into the CryptoHub
Package the following file for the OpenVPN Connect user:
  • Futurex_profile.ovpn: Modified client profile
  • CRYPTO-OPR-PASS: The password for the hardware token, which will be needed to authorize the token in OpenVPN Connect and establish a VPN connection.
Make sure that the CRYPTO-OPR-PASS and Export password are securely transmitted, as they contain sensitive information. Consider using secure communication channels to share these passwords and avoid sharing them through insecure means.