> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Edit the Client Profile

> Procedural guide to edit the .ovpn client profile for PKCS #11 integration with CryptoHub.

<Note>These steps are typically performed by the **OpenVPN Access Server Admin**. See [Underlying Responsibility Roles](./Before_you_start#underlying-responsibility-roles) for more information.</Note>

In this section, we will edit the client connection profile (`.ovpn` file)  to prepare it for the PKCS #11 integration with the Futurex CryptoHub.

<Warning>
  If your **OpenVPN Access Server** instance is integrated with **CryptoHub**, skip this section and continue on.
</Warning>

#### Extract the CA Certificate, Client Certificate, and Client Private Key

<Steps>
  <Step>
    Extract the individual certificate components from the generated `.ovpn` file:

    ```bash theme={null}
    sed -n '/<ca>/,/<\/ca>/p' futurex_profile.ovpn | sed '1d;$d' > ca.crt

    sed -n '/<cert>/,/<\/cert>/p' futurex_profile.ovpn | sed '1d;$d' > client.crt

    sed -n '/<key>/,/<\/key>/p' futurex_profile.ovpn | sed '1d;$d' > client.key
    ```

    You should now have four files:

    1. The client connection profile (`futurex-profile.ovpn`).
    2. The CA certificate (`ca.crt`).
    3. The client certificate (`client.crt`).
    4. The client private key (`client.key`).
  </Step>

  <Step>
    Remove the embedded certificate and key blocks from the .ovpn file:

    ```bash theme={null}
    sed -i '/<cert>/,/<\/cert>/d' futurex_profile.ovpn
    sed -i '/<key>/,/<\/key>/d' futurex_profile.ovpn
    ```

    Verify the removal was successful:

    ```bash theme={null}
    grep -E "<cert>|<key>" futurex_profile.ovpn
    ```

    If the command returns nothing, the removal was successful.
  </Step>

  <Step>
    Create a PKCS #12 file containing the client certificate and private key:

    ```bash theme={null}
    openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -out futurex.p12 -name "futurex_client"
    ```

    <Note> Replace `futurex.p12` with the name that you would like the `.p12` to be stored as and `futurex_client` with a name that identifies the client certificate. </Note>
    This command will prompt you to set an export password. This password will be provided to the end user so they can import the PKCS #12 file into the CryptoHub in the next sub-section.
  </Step>

  <Step>
    Package the following file for the CryptoHub admin:

    * `futurex.p12`: PKCS #12 file containing the client certificate and private key (used for importing into the CryptoHub)
          <Warning>
            After packing the `futurex.p12` file, securely delete the original `client.key` file from your system to prevent unauthorized access to the private key. The `futurex.p12` file is password-protected, but it's crucial to minimize the risk of exposure.
          </Warning>
    * `Export password`: The password you set when exporting the PKCS #12 file, which will be needed for importing into the CryptoHub

    Package the following file for the OpenVPN Connect user:

    * `Futurex_profile.ovpn`: Modified client profile
    * `CRYPTO-OPR-PASS`: The password for the hardware token, which will be needed to authorize the token in OpenVPN Connect and establish a VPN connection.

    <Warning>
      Make sure that the `CRYPTO-OPR-PASS` and `Export password` are securely transmitted, as they contain sensitive information. Consider using secure communication channels to share these passwords and avoid sharing them through insecure means.
    </Warning>
  </Step>
</Steps>
