Skip to main content

Tutorial: Configure External PKI with SecureW2

Abstract

How to set up the Access Server External PKI (Public Key Infrastructure) feature using SecureW2.

Overview

The Access Server external public key infrastructure (PKI) feature integrates Access Server with third-party tools for X509 PKI management instead of using the built-in certificate management capabilities.

When configured for external PKI usage, Access Server doesn't manage client certificates directly; instead, the customer's third-party PKI software generates and distributes client certificate/key pairs to client machines and a server certificate/key pair to the OpenVPN server.

This tutorial shows you how to set up external PKI using SecureW2.

At a high level, these are the steps for your configuration:

  1. Modify as.conf to set Access Server in external PKI mode.

  2. Create the server and intermediate using SecureW2

  3. Create certificate templates for the server and clients via SecureW2.

  4. Generate the server certificate and key via SecureW2.

  5. Generate the client certificate and key via SecureW2.

  6. Create the TLS_auth key.

  7. Generate Diffie-Hellman parameters.

  8. Import the necessary certificate and key files to Access Server.

  9. Provide certificate/key pairs in a P12/PFX file to the VPN client.

  10. Generate and download a server-locked profile for the client.

Prerequisites

  • An installed Access Server.

  • A SecureW2 account and access to the Management Portal.

  • Console access and the ability to get root access.

  • An OpenVPN client that supports the macOS Keychain and Windows certificate store.

Step 1: Set Access Server to external PKI mode.

  1. Connect to the Access Server console and get root privileges.

  2. Edit as.conf for external PKI usage:

    nano /usr/local/openvpn_as/etc/as.conf

  3. Comment out certs_db:

    # certificates database
# certs_db=sqlite:///~/db/certs.db

  4. Save and exit the file — ctrl+x, y, then enter.

    • Access Server no longer uses the certificate database. Instead, an external system must handle this.

Step 2: Create a server CA

To add a Root CA, follow these next steps:

  1. Sign in to the JoinNow Management Portal.

  2. Go to Dynamic PKI > Certificate Authorities.

  3. Click Add Certificate Authority.

  4. Under Basic:

    • From Generate CA For, select Device and User Authentication.

    • From Type, select Root CA.

    • In Common Name, enter the name for the root CA (for example, OpenVPN Root CA).

    • From Key Size, select 2048.

    • From Signature Algorithm, select SHA-256.

    • In Validity Period (years), enter how long the root CA certificate should remain valid.

  5. Click Save.

Step 3: Create an intermediate CA

  1. Sign in to the JoinNow Management Portal.

  2. Go to Dynamic PKI > Certificate Authorities.

  3. Click Add Certificate Authority.

  4. Under Basic:

    • From Generate CA For, select Device and User Authentication.

    • From Type, select Intermediate CA.

    • From Certificate Authority, select either an internal or an external CA.

    • In Common Name, enter the name for the intermediate CA (for example, OpenVPN Intermediate CA).

    • From Key Size, select 2048.

    • From Signature Algorithm, select SHA-256.

    • In Validity Period (years), enter how long the Intermediate CA should remain valid.

  5. Under Notifications:

    • From Expiry Notification Frequency (days), select how often certificate expiry notifications are sent.

    • Select Notify user on successful Enrollment to send a notification after successful enrollment.

  6. Under Revocation:

    • In Revoke Certificate if unused for, enter the number of days after which an unused certificate is revoked, and choose one of:

      • Since last usage — revoke if the certificate remains unused for that number of days.

      • Since certificate issuance — revoke that number of days after issuance.

    • From Reason Code, select a revocation reason: Certificate Hold, AA Compromise, Privilege Withdrawn, or Unspecified.

  7. Click Save.

Step 4: Create a server template

  1. Go to Dynamic PKI > Certificate Authorities.

  2. In the Certificate Templates section, click Add Certificate Template.

  3. Under Basic:

    • In Name, enter a name for the server template (for example, OpenVPN Server Template).

    • In Validity Period, enter the validity duration in d m y format (for example, 0d 0m 1y for one year).

  4. Under Extended Key Usage, from Use Certificate For, select Server Authentication.

  5. Click Save.

Step 5: Create a client template

  1. Go to Dynamic PKI > Certificate Authorities.

  2. In the Certificate Templates section, click Add Certificate Template.

  3. Under Basic:

    • In Name, enter a name for the server template (for example, OpenVPN Client Template).

    • In Validity Period, enter the validity duration in d m y format (for example, 0d 0m 1y for one year).

  4. Under Extended Key Usage, from Use Certificate For, select Client Authentication.

  5. Click Save.

Step 6: Create a server certificate and key

  1. Go to Dynamic PKI > Create Certificate.

  2. Under Device Info, from Operating System, select Linux.

  3. Under Certificate Signing Request:

    • Select Generate Keypair and CSR.

    • In Subject, enter the common name for the server certificate (for example, CN=server).

  4. Under Certificate Issuance Policy:

    • From Certificate Authority, select the intermediate CA you created earlier.

    • From Use Certificate Template, select the server template you created earlier.

    • Select Include Entire Certificate Chain.

  5. Under Distribution: > Format, select PEM.

    • From Format, select PEM.

    • From Receive via, select Download.

  6. Click Create.

    • When prompted, create a password for the server's private key.

  7. A ZIP file downloads containing:

    • Server Certificate (server.crt)

    • Server Key (server.key)

    • CA Bundle (cacert.crt)

Step 7: Create a client certificate and key

  1. Go to Dynamic PKI > Create Certificate.

  2. Under Device Info, from Operating System, select the VPN user's operating system (for example, Windows or macOS).

  3. Under Certificate Signing Request:

    • Select Generate keypair and CSR.

    • In Subject, enter the common name for the client certificate (for example, CN=etest).

  4. Under Certificate Issuance Policy:

    • From Certificate Authority, select the intermediate CA you created earlier.

    • From Use Certificate Template, select the client template you created earlier.

  5. Under Distribution:

    • From Format, select PKCS12.

    • From Receive via, select Download.

  6. Click Create.

    • When prompted, create a password for the client's private key.

  7. A .p12 file is generated (for example, etest.p12.

Important

As of this writing, SecureW2 PKI doesn't support creating a custom Subject Name with the value role=AUTOLOGIN. This field is required to generate client certificates compatible with auto-login profiles and connections.

Step 8: Configure the necessary files on Access Server

  1. Connect to the Access Server console and get root privileges.

  2. Create a directory:

    mkdir epki && cd epki

  3. Place the CA bundle, server certificate, and key generated from SecureW2 via WinSCP or SCP in this new "epki" directory.

  4. Remove the password from the server key:

    openssl rsa -in server.key -out newserver.key

    Important

    When running this command, you'll be prompted for a password. Use the password you configured for the server key file earlier.

  5. Create a tls_auth key for the OpenVPN server:

    /usr/local/openvpn_as/scripts/certool --tls_auth

  6. Generate Diffie Hellman parameters for the OpenVPN server:

    openssl dhparam -out dh.pem 2048

  7. Generate your auth token and add the generated file:

    /usr/local/openvpn_as/scripts/certool --auth_token

  8. Configure X509 explicit/extended key usage based on RFC3280 TLS rules:

    /usr/local/openvpn_as/scripts/sacli --key "external_pki.remote_cert_usage" --value eku ConfigPut

  9. Configure the use of the X509 “role” attribute for the declaration of auto-login permission:

    /usr/local/openvpn_as/scripts/sacli --key "external_pki.autologin_x509_spec" --value "role,,AUTOLOGIN" ConfigPut

  10. Generate the tls-crypt-v2 key:

    /usr/local/openvpn_as/scripts/certool --tls_crypt2_server

  11. Load the newly generated files into the Access Server config database:

    /usr/local/openvpn_as/scripts/sacli --key "external_pki.ta_key" --value_file ta.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.ca_crt" --value_file CA.pem ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.server_crt" --value_file server.crt ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.server_key" --value_file server.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.dh_pem" --value_file dh.pem ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.auth_token_key" --value_file auth_token.key ConfigPut
/usr/local/openvpn_as/scripts/sacli --key "external_pki.tls_cryptv2_server" --value_file tls_crypt2.key ConfigPut

  12. Start Access Server:

    systemctl restart openvpnas

Step 9: Configure a test client

To test our example, we generate a test client, etest.

  1. Sign in to the Admin Web UI.

  2. Click Users.

  3. Click Add New User.

  4. Click User Management > User Permissions.

  5. Create the new user, etest, and click Save.

  6. Click Reset Password.

  7. Enter a password and click Reset.

  8. Click Restart.

  9. Click the Connection Profiles tab.

  10. Click New Connection Profile.

  11. From Profile type, select Server-locked, enter an optional comment, and click Download.

    • The serverlocked.ovpn profile downloads.

  12. Rename the file etest.ovpn.

  13. Copy these two files to the client machine:

    • Client P12 file (etest.p12)

    • Client profile (etest.ovpn)

Step 10: Import the client profile and the client P12 file into OpenVPN Connect v3

  1. Launch OpenVPN Connect v3.

  2. Import the connection profile, etest.ovpn.

  3. Click Menu > Certificate & Tokens.

  4. Under PKCS#12, click the Add icon.

  5. Select your client P12 file (etest.p12).

  6. Enter the password for this file that you previously configured and click OK.

  7. Go back to the Home.

  8. Click Menu > My Profiles.

  9. Click or tap the Edit icon for the profile.

  10. Under Certificate and Key, click or tap Assign.

  11. Select the hardware token and click Confirm.

  12. Save the changes.

  13. Click or tap to connect.

Simplified ePKI client configuration (Access Server 2.14.2 and later)

With the release of Access Server 2.14.2, we've made configuring client connection profiles for ePKI easier. Previously, creating these profiles required using the command line, as noted in the tutorial. However, in version 2.14.2 and later, you can now create and manage ePKI client connection profiles directly from Access Server's Client Web UI.

There are two types of ePKI profiles available:

  1. Generic ePKI profile:

    epki-generic.png

    • This profile requires the user to authenticate with a password when connecting.

    • Ideal for environments where a password-based security layer is needed in addition to certificate-based authentication.

  2. Auto-login ePKI profile;

    epki-autologin.png

    • This profile automatically uses the certificate for authentication without requiring a password.

    • Suitable for unattended devices or systems where automatic, certificate-based login is needed.

In addition, the Import Profile from URL functionality in OpenVPN Connect allows users to import these connection profiles directly, making the configuration process faster and more seamless.

This update simplifies the ePKI setup, providing more flexibility and reducing the reliance on the command line.

In this section: