Skip to main content
This section provides guidance on generating and preparing the cryptographic keys used by OpenVPN Access Server and the test client. The focus is on ensuring that the server’s private key, and optionally the certificate authority (CA) key, are securely created and formatted for storage in KMES. Centralizing key generation in KMES enhances the protection of sensitive credentials and establishes a secure foundation for the VPN deployment. At a high level, these are the steps for your configuration:
  1. Modify as.conf to set Access Server in external PKI mode.
  2. (Optional) Create the server CA using pkcs11-tool commands.
  3. Generate the server certificate and key via pkcs11-tool commands.
  4. Generate the client certificate and key via pkcs11-tool commands.
ImportantIf you are using an external CA, this guide does not cover how to configure or apply Access Servers required v3 extensions during the certificate signing process. Extension handling is determined by the external CA’s policies or configuration. For OpenSSL-based CAs, the CA’s private key is required to be in a .pem file to issue the certificate with the proper extensions, which may introduce security risks if not properly protected. Please note that Futurex cannot provide support for issues arising from the use of an external CA; refer to your CA’s documentation for guidance on extension handling and certificate issuance.
NoteIt is important to also point out that Access Server connection will stop working once the CA certificate expires. Since the clients use the CA’s public key to verify the connection to the Access Server, it is important that the CA certificate will need to be replaced on time to not cause disruption to any of the client’s connection. This is especially true if the CA’s certificate validity period is short lived.

Set FXPKCS11 environment variables

In a terminal, run the following sequence of commands to set the required FXPKCS11 environment variables:
Shell
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so

Configure OpenVPN Access Server

1
Edit the as.conf for external PKI usage:
Shell
sudo nano /usr/local/openvpn_as/etc/as.conf
Comment out certs_db:
None
# certificates database
# certs_db=sqlite:///~/db/certs.db
Save and exit the file. This command will make the Access Server no longer use the certificate database. Instead, an external system must handle this.
2
(Optional - If using external CA, skip this step) Generate CA key via pkcs11-tool command:
Shell
pkcs11-tool --module $FXPKCS11_MODULE --login --key-type rsa:2048 --pin safest --label "OpenVPN-CA-Key" --id 01 --keypairgen --usage-sign
The key is now securely stored on the KMES. However, the OpenSSL CA signing command requires a key reference in a .pem file. Instead of exporting the private key—which would create significant security risks—you can store a PKCS #11 URI reference in the .pem file. This allows pkcs11-provider by Latchset to access the key directly on the KMES and perform the signing operation without exposing the key material.
NOTEIn this guide, running Python scripts is demonstrated using the CLI. This is not the only way to run the script—it can also be executed within an IDE, a Jupyter notebook, or any environment that supports Python execution.
After setting up the Python CLI environment and installing asn1crypto, run the following command to generate a PKCS #11 URI reference and save it directly to ca.key in the current directory:
Shell
python3 uri2pem.py "pkcs11:type=private;object=OpenVPN-CA-Key" > ca.key
Run the following command to generate the CA certificate:
Shell
openssl req -new -x509 -provider pkcs11 -provider-path $FXPKCS11_MODULE -key ca.key -out ca.crt -days 3650 -subj "/CN=OpenVPN_CA"
3
Create a custom OpenSSL file for the server.Open the openssl.cnf file to edit:
Shell
nano /etc/ssl/openssl.cnf
Look for the section [ req ] and add the below line in that section:
None
req_extensions = v3_req
Look for the section [ v3_req ], remove the content that is currently in that section, and add the below lines in that section:
None
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
Save and exit the file with a new name openssl-server.cnf (To perform this, hit ctrl + x, y, and then type the new name, then hit Enter).
4
Create a custom OpenSSL file for clients.Open the openssl.cnf file to edit:
Shell
nano /etc/ssl/openssl.cnf
Look for the section [ req ] and add the below line in that section:
None
req_extensions = v3_req
Look for the section [ v3_req ], remove the content that is currently in that section, and add the below lines in that section:
None
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = clientAuth
nsCertType = client
Save and exit the file with a new name openssl-client.cnf (To perform this, hit ctrl + x, y, and then type the new name, then hit Enter).
5
Generate the server key via pkcs11-tool command:
Shell
pkcs11-tool --module $FXPKCS11_MODULE --login --key-type rsa:2048 --pin safest --label "OpenVPN-Server-Key" --id 02 --keypairgen --usage-sign
Using the uri2pem.py script, generate the PKCS #11 URI reference file and save it as server.key:
Shell
 python3 uri2pem.py "pkcs11:type=private;object=OpenVPN-Server-Key" > server.key
Generate the certificate signing request (CSR) for the server:
Shell
 openssl req -new -key server.key -out server.csr -subj "/CN=OpenVPN Server" -config /etc/ssl/openssl-server.cnf
Use the CA generated from an earlier step to sign the .csr file:
Shell
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extfile /etc/ssl/openssl-server.cnf -extensions v3_req
6
Generate the client key:
Shell
openssl genpkey -algorithm RSA -out client.key -pkeyopt rsa_keygen_bits:2048
Generate the client CSR:
Shell
openssl req -new -key client.key -out client.csr -subj "/CN=etest" -config /etc/ssl/openssl-client.cnf
Use the CA generated from an earlier step to sign the .csr file:
Shell
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -extfile /etc/ssl/openssl-client.cnf -extensions v3_req
Generate the client P12 file with the client certificate and key:
Shell
openssl pkcs12 -export -inkey client.key -in client.crt -out etest.p12 -name "etest"
You will be prompted to insert a password for the P12 file. Type it twice.