Prepare cryptographic material for Access Server

this section provides guidance on generating and preparing the cryptographic keys used by openvpn access server and the test client the focus is on ensuring that the server’s private key, and optionally the certificate authority (ca) key, are securely created and formatted for storage in kmes centralizing key generation in kmes enhances the protection of sensitive credentials and establishes a secure foundation for the vpn deployment at a high level, these are the steps for your configuration modify as conf to set access server in external pki mode (optional) create the server ca using pkcs11 tool commands generate the server certificate and key via pkcs11 tool commands generate the client certificate and key via pkcs11 tool commands important if you are using an external ca, this guide does not cover how to configure or apply access servers required v3 extensions during the certificate signing process extension handling is determined by the external ca’s policies or configuration for openssl based cas, the ca’s private key is required to be in a pem file to issue the certificate with the proper extensions, which may introduce security risks if not properly protected please note that futurex cannot provide support for issues arising from the use of an external ca; refer to your ca’s documentation for guidance on extension handling and certificate issuance note it is important to also point out that access server connection will stop working once the ca certificate expires since the clients use the ca's public key to verify the connection to the access server, it is important that the ca certificate will need to be replaced on time to not cause disruption to any of the client's connection this is especially true if the ca's certificate validity period is short lived set fxpkcs11 environment variables in a terminal, run the following sequence of commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so configure openvpn access server edit the as conf for external pki usage sudo nano /usr/local/openvpn as/etc/as conf comment out certs db # certificates database \# certs db=sqlite /// /db/certs db save and exit the file this command will make the access server no longer use the certificate database instead, an external system must handle this (optional if using external ca, skip this step) generate ca key via pkcs11 tool command pkcs11 tool module $fxpkcs11 module login key type rsa 2048 pin safest label "openvpn ca key" id 01 keypairgen usage sign the key is now securely stored on the kmes however, the openssl ca signing command requires a key reference in a pem file instead of exporting the private key—which would create significant security risks—you can store a pkcs #11 uri reference in the pem file this allows pkcs11 provider by latchset to access the key directly on the kmes and perform the signing operation without exposing the key material note in this guide, running python scripts is demonstrated using the cli this is not the only way to run the script—it can also be executed within an ide, a jupyter notebook, or any environment that supports python execution after setting up the python cli environment and installing asn1crypto , run the following command to generate a pkcs #11 uri reference and save it directly to ca key in the current directory python3 uri2pem py "pkcs11\ type=private;object=openvpn ca key" > ca key run the following command to generate the ca certificate openssl req new x509 provider pkcs11 provider path $fxpkcs11 module key ca key out ca crt days 3650 subj "/cn=openvpn ca" create a custom openssl file for the server open the openssl cnf file to edit nano /etc/ssl/openssl cnf look for the section \[ req ] and add the below line in that section req extensions = v3 req look for the section \[ v3 req ] , remove the content that is currently in that section, and add the below lines in that section basicconstraints = critical, ca\ false keyusage = critical, digitalsignature, keyencipherment extendedkeyusage = serverauth save and exit the file with a new name openssl server cnf (to perform this, hit ctrl + x, y, and then type the new name, then hit enter ) create a custom openssl file for clients open the openssl cnf file to edit nano /etc/ssl/openssl cnf look for the section \[ req ] and add the below line in that section req extensions = v3 req look for the section \[ v3 req ] , remove the content that is currently in that section, and add the below lines in that section basicconstraints = critical, ca\ false keyusage = critical, digitalsignature extendedkeyusage = clientauth nscerttype = client save and exit the file with a new name openssl client cnf (to perform this, hit ctrl + x, y, and then type the new name, then hit enter ) generate the server key via pkcs11 tool command pkcs11 tool module $fxpkcs11 module login key type rsa 2048 pin safest label "openvpn server key" id 02 keypairgen usage sign using the uri2pem py script, generate the pkcs #11 uri reference file and save it as server key python3 uri2pem py "pkcs11\ type=private;object=openvpn server key" > server key generate the certificate signing request (csr) for the server openssl req new key server key out server csr subj "/cn=openvpn server" config /etc/ssl/openssl server cnf use the ca generated from an earlier step to sign the csr file openssl x509 req in server csr ca ca crt cakey ca key cacreateserial out server crt days 365 extfile /etc/ssl/openssl server cnf extensions v3 req generate the client key openssl genpkey algorithm rsa out client key pkeyopt rsa keygen bits 2048 generate the client csr openssl req new key client key out client csr subj "/cn=etest" config /etc/ssl/openssl client cnf use the ca generated from an earlier step to sign the csr file openssl x509 req in client csr ca ca crt cakey ca key cacreateserial out client crt days 365 extfile /etc/ssl/openssl client cnf extensions v3 req generate the client p12 file with the client certificate and key openssl pkcs12 export inkey client key in client crt out etest p12 name "etest" you will be prompted to insert a password for the p12 file type it twice