Tutorial: Configure External PKI with Easy-RSA
How to set up the Access Server External PKI (Public Key Infrastructure) feature using the Easy-RSA tool.
Overview
The Access Server external public key infrastructure (PKI) feature integrates Access Server with third-party tools for X509 PKI management instead of using the built-in certificate management capabilities.
When configured for external PKI usage, Access Server doesn't manage client certificates directly; instead, the customer's third-party PKI software generates and distributes client certificate/key pairs to client machines and a server certificate/key pair to the OpenVPN server.
This tutorial shows you how to set up an external PKI using OpenSSL.
At a high level, these are the steps for your configuration:
Modify as.conf to set Access Server in external PKI mode.
Initiate Easy-RSA.
Generate the CA key and certificate via Easy-RSA commands.
Generate the server key and certificate via Easy-RSA commands.
Generate the client key, certificate, and P12 file via Easy-RSA and OpenSSL commands.
Create the TLS_auth key.
Generate Diffie-Hellman parameters.
Import the necessary certificate and key files to Access Server.
Provide certificate/key pairs in a P12/PFX file to the VPN client.
Generate and download a server-locked profile for the client.
An installed Access Server.
A machine with Easy-RSA and OpenSSL installed. This could be the same Linux where Access Server is installed or an external machine.
Console access and the ability to get root access.
An OpenVPN client that supports the macOS Keychain and Windows certificate store.
Ensure you have Easy-RSA installed:
For Ubuntu/Debian:
sudo apt update sudo apt install easy-rsa
For RHEL:
sudo yum install epel-release sudo yum install easy-rsa
Note
This guide was tested with the following Easy-RSA versions: 3.0.8, 3.1.0, 3.1.7, and 3.2.1.
Connect to the Access Server console and get root privileges.
Edit as.conf for external PKI usage:
nano /usr/local/openvpn_as/etc/as.conf
Comment out certs_db:
# certificates database # certs_db=sqlite:///~/db/certs.db
Save and exit the file — ctrl+x, y, then enter.
Access Server no longer uses the certificate database. Instead, an external system must handle this.
Run the following commands to initiate Easy-RSA:
cp -r /usr/share/easy-rsa/ /etc/easy-rsa/ cd /etc/easy-rsa/ ./easyrsa init-pki
Notice
If you're using Easy-RSA version 3.2.1, you need to run the following commands:
cp -r /usr/share/easy-rsa/ /etc/easy-rsa/ cd /etc/easy-rsa/3.2.1 ./easyrsa init-pki
Run the command below to generate the CA certificate and key:
./easyrsa build-ca
Enter a New CA Key Passphrase at the prompt.
Tip
This is used to sign the remaining certificates.
You now have two files:
CA key (
/etc/easy-rsa/pki/private/ca.key)CA certificate (
/etc/easy-rsa/pki/ca.crt)
Open the x509/types/server file to edit (we use nano):
nano x509-types/server
Remove the contents of this file and add these lines:
basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always
Save and exit the file — ctrl + x, y, then enter.
Open the x509-types/client file to edit (we use nano):
nano x509-types/client
Remove the contents of this file and add these lines:
basicConstraints = critical, CA:FALSE keyUsage = critical, digitalSignature extendedKeyUsage = clientAuth nsCertType = client subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always
Save and exit the file — ctrl + x, y, then enter.
Run the below command to generate the server CSR:
./easyrsa gen-req server nopass
You'll be asked to enter the CN of the Server Certificate (e.g.,
OpenVPN Server).
Run the below command to generate the server certificate with the custom OpenSSL file created in Step 4:
./easyrsa --req-cn="OpenVPN Server" sign-req server server
You now have two files:
Server key (
/etc/easy-rsa/pki/private/server.key)Server certificate (
/etc/easy-rsa/pki/issued/server.crt)
Run the below command to generate the client CSR:
./easyrsa gen-req etest nopass
You'll be asked to enter the CN of the Client Certificate (e.g., etest).
Run the below command to generate the client certificate with the custom OpenSSL file created in Step 5:
./easyrsa --req-cn="etest" sign-req client etest
Generate a P12 file with the client certificate and key:
openssl pkcs12 -export -inkey /etc/easy-rsa/pki/private/etest.key -in /etc/easy-rsa/pki/issued/etest.crt -out /etc/easy-rsa/pki/etest.p12 -name "etest"
If you're using Easy-RSA version 3.2.1, you need to run the following command:
openssl pkcs12 -export -inkey /etc/easy-rsa/3.2.1/pki/private/etest.key -in /etc/easy-rsa/3.2.1/pki/issued/etest.crt -out /etc/easy-rsa/3.2.1/pki/etest.p12 -name "etest"
You'll be prompted to enter a password for the P12 file. Type it twice.
You now have three files:
Client key (
/etc/easy-rsa/pki/private/etest.key)Client certificate (
/etc/easy-rsa/pki/issued/etest.crt)P12 file (
/etc/easy-rsa/pki/etest.p12)
Tip
If you encounter a 'friendlyName' import error, refer to this support article: OpenVPN Connect v3.5.x Certificate/Key Import Error When "friendlyName" is Missing in the P12 File.
Connect to the Access Server console and get root privileges.
Create a directory:
cd .. && mkdir epki && cd epki
Place the CA certificate, server certificate, and key generated from the OpenSSL commands in the new epki directory:
cp /etc/easy-rsa/pki/ca.crt ./ cp /etc/easy-rsa/pki/issued/server.crt ./ cp /etc/easy-rsa/pki/private/server.key ./
If you're using Easy-RSA version 3.2.1, run the following commands:
Create a tls_auth key for the OpenVPN server:
/usr/local/openvpn_as/scripts/certool --tls_auth
Generate Diffie Hellman parameters for the OpenVPN server:
openssl dhparam -out dh.pem 2048
For Access Server 2.7 and newer, you must also generate your auth token and add the generated file:
/usr/local/openvpn_as/scripts/certool --auth_token
Configure X509 explicit/extended key usage based on RFC3280 TLS rules:
/usr/local/openvpn_as/scripts/sacli --key "external_pki.remote_cert_usage" --value eku ConfigPut
Configure the use of the X509 “role” attribute for the declaration of auto-login permission:
/usr/local/openvpn_as/scripts/sacli --key "external_pki.autologin_x509_spec" --value "role,,AUTOLOGIN" ConfigPut
Generate the tls-crypt-v2 key (for Access Server 2.9.0 and higher only):
/usr/local/openvpn_as/scripts/certool --tls_crypt2_server
Load the newly generated files into the Access Server config database:
/usr/local/openvpn_as/scripts/sacli --key "external_pki.ta_key" --value_file ta.key ConfigPut /usr/local/openvpn_as/scripts/sacli --key "external_pki.ca_crt" --value_file ca.crt ConfigPut /usr/local/openvpn_as/scripts/sacli --key "external_pki.server_crt" --value_file server.crt ConfigPut /usr/local/openvpn_as/scripts/sacli --key "external_pki.server_key" --value_file server.key ConfigPut /usr/local/openvpn_as/scripts/sacli --key "external_pki.dh_pem" --value_file dh.pem ConfigPut /usr/local/openvpn_as/scripts/sacli --key "external_pki.auth_token_key" --value_file auth_token.key ConfigPut /usr/local/openvpn_as/scripts/sacli --key "external_pki.tls_cryptv2_server" --value_file tls_crypt2.key ConfigPut
Start Access Server:
systemctl restart openvpnas
To test our example, we generate a test client, etest.
Sign in to the Admin Web UI.
Click User Management > User Permissions.
Create the new user, etest, and click More Settings to enter a password.
Finally, generate a server-locked profile. The profile will be stored in etest.ovpn:
/usr/local/openvpn_as/scripts/sacli GetGeneric >etest.ovpn
Copy these two files to the client machine:
Client P12 file (etest.p12)
Client profile (etest.ovpn)
Install the profile and P12 file in OpenVPN Connect v3:
Launch OpenVPN Connect v3.
Import the connection profile, etest.ovpn.
Click Certificate & Tokens.
Under PKCS#12, click ADD CERTIFICATE.
Select your client P12 file etest.p12.
Enter the password for this file that you configured in step 7 and click OK.
Go back to the Profiles and click or tap the Edit icon for the profile.
Under Certificate and Key, click or tap Assign.
Select the hardware token and click CONFIRM.
Save the changes.
Click or tap the profile toggle to connect.
With the release of Access Server 2.14.2, we've made configuring client connection profiles for ePKI easier. Previously, creating these profiles required using the command line, as noted in the tutorial. However, in version 2.14.2 and later, you can now create and manage ePKI client connection profiles directly from Access Server's Client Web UI.
There are two types of ePKI profiles available:
Generic ePKI profile:
This profile requires the user to authenticate with a password when connecting.
Ideal for environments where a password-based security layer is needed in addition to certificate-based authentication.
Auto-login ePKI profile;
This profile automatically uses the certificate for authentication without requiring a password.
Suitable for unattended devices or systems where automatic, certificate-based login is needed.
In addition, the Import Profile from URL functionality in OpenVPN Connect allows users to import these connection profiles directly, making the configuration process faster and more seamless.
This update simplifies the ePKI setup, providing more flexibility and reducing the reliance on the command line.