Skip to main content

External Public Key Infrastructure

The Access Server external public key infrastructure (PKI) feature integrates Access Server with third-party tools for X509 PKI management instead of using the built-in certificate management capabilities.

When configured for external PKI usage, Access Server doesn't manage client certificates directly; instead, the customer's third-party PKI software generates and distributes client certificate/key pairs to client machines and a server certificate/key pair to the OpenVPN server.

How external PKI mode works for Access Server

Access Server issues and manages its certificates for the server and clients. This certificate infrastructure is the PKI; by default, Access Server automatically manages and provisions the necessary certificates. Switching to external PKI mode involves handing that management to a third-party tool. This changes how VPN client distribution occurs by using two channels rather than one:

  1. Connection profile — The distribution of OpenVPN Connect and a bundled, server-locked profile. The app and profile contain instructions on connecting to the server and the software to make a connection. This can be done using the Client Web UI or by generating and distributing the client installer via the command-line tools.


    You must create server-locked profiles/installers for external PKI integration.

  2. Certificate/key — The client certificate/key is generated by a third-party tool. This tool manages the external PKI solution. The tool generates the client certificates/keys and installs them on client machines using the host OS certificate/key store — iOS, macOS, Android Keychain, Windows certificate store, or Linux OpenSC. Access Server bundles the certificate/key with the connection profile for a standard Access Server setup, not using external PKI. External PKI requires them to be separate.

When operating in external PKI mode, Access Server only supports server-locked profiles, not user-locked profiles. For the VPN client, the server-locked profile must have a client certificate/key pair installed into the host OS keychain or certificate/key store to make a VPN tunnel connection. Some hardware devices or tokens contain a certificate registered with the certificate store using additional software when the token device/card is plugged in.

OpenVPN Connect doesn't require direct access to the private key, as it's capable of performing RSA operations on the key via the CSP (cryptographic service provider) API provided by the host OS Keychain. This allows the use of cryptographic tokens or smartcards with the private key, which makes it physically impossible for any software running on the client machine (even at the root/Administrator level) to read the key directly.


OpenVPN Support for an external PKI system with Access Server is limited. This is because much of the system depends on how the system administrator sets it up, that the external PKI mode disables many of the internal certificate management functions of Access Server, and there is a third-party product involved, and we have no control over that external system.

How to set up external PKI