Skip to main content

Tutorial: Extract Separate Certificate Files for a User

Abstract

Access Server combines the certificates and the instructions for the OpenVPN client program into one file. Here's how to extract separate cert files.

Overview

Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the server-client connection. This commonly includes addresses and ports to contact the server, information verifying the server identity, securing the TLS control channel, and other settings. An OpenVPN client will need such information to connect to an OpenVPN server.

With our Access Server product, we prefer to use connection profiles that bundle all necessary information into one file. This works well with almost all OpenVPN clients, particularly OpenVPN Connect. For some open-source-based OpenVPN clients, splitting out the certificates and keys from the connection profile may be necessary.

Follow this tutorial to extract the certificates and keys from the connection profile.

Prerequisites

  • An installed Access Server.

  • Console access with root privileges.

  • Configured user accounts.

Step 1: Sign on to your Access Server's terminal

  • Connect to your server with root privileges.

    • You can do this through the terminal, directly to your server, or using an app like PuTTY.

    • To gain root privileges, you can sign in directly as root or sudo up. This is not the VPN client username.

Step 2: Generate files for the user account

Tip

For these next steps, we use the VPN client username, ‘test-client’. Ensure you substitute your username for these commands. If you don’t have the user for the VPN client you’ll be using, refer to the tutorial, Adding Users to Access Server.

  1. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  2. Create a subfolder separate:

    mkdir ./separate

  3. Save a separate files version of a user-locked profile:

    ./sacli --prefer-tls-crypt-v2 -o ./separate --user "test-client" GetUserlogin5

    Or save a separate viles version of an auto-login profile:

    ./sacli --prefer-tls-crypt-v2 -o ./separate --user "test-client" GetAutologin5

    Note

    • The files will be saved in the /usr/local/openvpn_as/scripts/separate/ directory and can be found there.

    • Access Server 2.9 or newer supports TLS Crypt v2. If you use an older Access Server or do not wish to use TLS Crypt v2, please omit the --prefer-tls-crypt-v2 flag.

    • Autologin profiles require the user to have autologin permission, whether granted directly or inherited. By default, autologin permission is denied.

    • We recommend enclosing usernames in double-quotes ("), particularly when they contain spaces.

    • For GetUserLogin5 and GetAutologin5, you can specify the output directory with the -o parameter (./separate in the example).

More information on separate files

The GetUserlogin5 and GetAutlogin5 functions output several separate files. Depending on your TLS control channel configuration, the last two files in the overview below may not be needed or even present.

  • client.ovpn — OpenVPN connection profile

  • ca.crt — server CA certificate

  • client.crt — client certificate

  • client.key — client private key

  • ta.key — TLS control channel key (TLS Auth or TLS Crypt)

  • tls_crypt_v2.key — TLS control channel key (TLS Crypt v2)

Step 3: Transfer the files

Now that you have separate files, you need to transfer them to the local computer. If you’re using Linux or macOS, you can use scp to copy the files. The steps below are for Windows users.

Tip

These steps assume you can sign in directly with the root user account. If this isn’t enabled on your server, one option is to sign in as an unprivileged account and sudo su to get root privileges. But, when you use WinSCP with a non-root account, it doesn’t have access to all files and folders on the system, especially those owned by root. To address this, you need to chown the files to make them readable and accessible to the unprivileged user. For example chown <USERNAME> <FILENAME>.

Here are the steps for transferring the files using WinSCP:

  1. Start WinSCP and click Session.

  2. Enter the server’s address, username, and password.

  3. Select SCP under File protocol.

  4. Click Login.

  5. Once connected, click the Open folder icon for the server and open /usr/local/openvpn_as/scripts/separate/.

  6. Select the files from the …/separate/ folder on the server to drag and drop them to a folder on your computer in the left pane.

    • You should now have the separate files saved to your computer for your use.

In this section: