How to manage CA, Server and client certificates with easy-RSA for OpenVPN

Version 2.5

Applies to Platform: Linux
Last Update: 04 June 2014


If you have an Endian Appliance equipped with the 3.0 or newer version, you can manage all the CA and certificates of your Appliance directly from the GUI, under Menubar > VPN > Certificates.


This lessons illustrates how to generate a CA, along with a server and a client certificate using easy-RSA for OpenVPN from a Linux box.

We create a certificate/key for CA, Server and client.
To establish a certificate-based VPN connection the server require:

  • CA certificate, needed to create server and client certificate and used to verify if the client certificate was signed by the master CA (Certification Authority). The CA key must be kept secret.
  • Server certificate and key, its own certificate/key. The server will only accept clients whose certificates were signed by the master CA certificate.

To avoid Men-in-the-middle attack, the Endian UTM Appliance checks that a client certificate was designed to be a client. Endian UTM Appliances used as OpenVPN servers work with pkcs#12 certificates that include CA certificate, Server Certificate, and Server private key.

The client side require:

  • CA certificate
  • client certificate
  • client private key

Endian UTM Appliances used as OpenVPN clients work with pkcs#12 certificate that include CA certificate, Client Certificate and Client private key.


PC with Linux OS.

Internet connectivity to download openvpn community package.

Root privileges to install openvpn community package.

Server and client clocks need to be synced or certificates might not work properly.


If you have a debian-based linux distribution on your PC to install openvpn run from root:


root@linux:~# aptitude install openvpn

Otherwise you can consult the man page of the package manager of your linux distribution.
For more information about installation go to


When you install openvpn, it is enabled on boot. If you don't want this, remember to disable the service.


The first step to create CA is editing the vars file in /etc/openvpn/2.0: Open a shell on your linux pc and copy the entire folder /usr/share/doc/openvpn/examples/easy-rsa/2.0/ in /etc/openvpn.

Edit file /etc/openvpn/2.0/vars, go to the bottom and modify all these parameters:


Don't leave any of these parameters blank.
export KEY_COUNTRY="US"                  #
export KEY_PROVINCE="NY"                 # Here insert values that correspond with your organization
export KEY_CITY="New York"               #
export KEY_ORG="ACME,Inc."               #
export KEY_EMAIL=""           #

Edit file /etc/openvpn/2.0/openssl.cnf and check that the following parameters are present and not commented. If one or more are not present, create them.

[ usr_cert ]
     nsCertType                        = client
     nsComment                         = "OpenSSL Generated Client Certificate"

In the /etc/openvpn/2.0 folder run these commands, which create certificates in the /etc/openvpn/2.0/keys directory. Running all of them is needed only the first time: To create further client certificates see further on.

root@linux: /etc/openvpn/2.0 # source vars
root@linux: /etc/openvpn/2.0 # ./clean-all
root@linux: /etc/openvpn/2.0 # ./build-ca
root@linux: /etc/openvpn/2.0 # ./build-dh
root@linux: /etc/openvpn/2.0 #./pkitool --interact --pkcs12 --server EndianUTMAppliance
root@linux: /etc/openvpn/2.0 #./pkitool --interact --pkcs12 John

source vars :

This command reads all the parameters and passes them to other command.

./clean all :

This command erases all data from /etc/openvpn/2.0/keys!

./build-ca :

This command creates your CA certificate and key. Note that in the above sequence, most queried parameters were defaulted to the values set in the vars. The only parameter which must be explicitly entered is the Common Name.

./build-dh :

This command creates a Diffie Hellman parameters.

./pkitool --interact --pkcs12 --server EndianUTMAppliance :

With this command you generate a server certificate and key. In Common Name value insert your Endian UTM Appliance logical name, in this example EndianUTMAppliance, and when requested, insert an export password that will be used when you import the server certificate.

./pkitool --interact --pkcs12 John:

With this command you generate a client certificate and client key. Enter a certificate name and Common Name that match the username of user created under openvpn on your Endian UTM Appliance.

 When you want to create more client certificates at some later time, all you need to do is have the original /etc/openvpn/2.0/keys directory and then run these commands from within the /etc/openvpn/2.0 directory:

root@linux: /etc/openvpn/2.0 # source vars
root@linux: /etc/openvpn/2.0# ./pkitool --interact --pkcs12 bob

These two commands create a client certificate for the user bob on the OpenVPN server.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


  • Avatar

    So which file do you then import into Endian when it is the server, and which do you import when Endian is the client for gw2gw?