Skip to main content
After the keys and certificates are prepared, this section covers integrating them with the OpenVPN Access Server. By storing the keys in KMES Series 3 and referencing them during server configuration, the integration supports strong cryptographic operations and helps align the deployment with enterprise security policies. At a high level, these are the steps for your configuration:
  1. Create the TLS_auth key.
  2. Generate Diffie-Hellman parameters.
  3. Import the necessary certificate and key files to Access Server.
  4. Configure the test client on OpenVPN Access Server admin UI.
  5. Generate and download a server-locked profile for the client.
  6. Install the profile and P12 file in OpenVPN Connect v3.

Configure OpenVPN Access Server

1
Switch to root and create a directory
Shell
sudo su
mkdir epki && cd epki
Place the ca.crt, server.crt, and server.key in the epki directory:
Shell
cp /path/to/ca.crt ./
cp /path/to/server.crt ./
cp /path/to/server.key ./
Create a tls_auth key for the OpenVPN server:
Shell
/usr/local/openvpn_as/scripts/certool --tls_auth
2
Generate Diffie Hellman parameters for the OpenVPN server:
Shell
openssl dhparam -out dh.pem 2048
For Access Server 2.7 and newer, you must also generate the auth token and add the generate file:
Shell
/usr/local/openvpn_as/scripts/certool --auth_token
Configure X509 explicit/extended key usage based on RFC3280 TLS rules:
Shell
/usr/local/openvpn_as/scripts/sacli --key "external_pki.remote_cert_usage" --value eku ConfigPut
Configure the use of the X509 “role” attribute for the declaration of auto-login permission:
Shell
/usr/local/openvpn_as/scripts/sacli --key "external_pki.autologin_x509_spec" --value "role,,AUTOLOGIN" ConfigPut
Generate the tls-crypt-v2 key (for Access Server 2.9.0 and higher only):
Shell
/usr/local/openvpn_as/scripts/certool --tls_crypt2_server
3
Load the newly generated files into the Access Server config database:
Shell
/usr/local/openvpn_as/scripts/sacli --key "external_pki.ta_key" --value_file ta.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.ca_crt" --value_file ca.crt ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.server_crt" --value_file server.crt ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.server_key" --value_file server.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.dh_pem" --value_file dh.pem ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.auth_token_key" --value_file auth_token.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.tls_cryptv2_server" --value_file tls_crypt2.key ConfigPut
Restart the Access Server:
Shell
systemctl restart openvpnas
4
Configure the test client on the Admin Web UI.Go to the web https://<Access Server IP>:943/admin/loginEnter the username: openvpn, and the password (which is usually found in the init log:
Shell
sudo cat /usr/local/openvpn_as/init.log
Click on Users > Add New User.Create a new user, etest, and click on Save.Under User Settings, scroll down to Authentication, and enter the preferred password for the test client.On the top right corner, click on Save. Then at the top, click on Restart.
5
In a terminal, generate a server-locked profile, etest.ovpn:
Shell
/usr/local/openvpn_as/scripts/sacli GetGeneric >etest.ovpn
6
Copy the files etest.p12 and etest.ovpn to the client machine.Launch OpenVPN Connect v3 on a Windows or Mac.In the app, click on the 3 bar icon at the top left corner and select on My Profiles.Click on + icon and upload the etest.ovpn file.Click on 3 bar icon at the top left corner and select Certificates & Tokens.Under PKCS #12, click on + icon, and upload the etest.p12 file-enter the password that was configured in Step 6 inClick on 3 bar icon at the top left corner and select My Profiles, click on the pencil icon next to the newly uploaded profile, scroll down to Certificates and click on Select, and click on the circular button next to etest, and click on Select.Click on Save Changes.