External Public Key Infrastructure
The Access Server external public key infrastructure (PKI) feature integrates Access Server with third-party tools for X509 PKI management instead of using the built-in certificate management capabilities.
When configured for external PKI usage, Access Server doesn't manage client certificates directly; instead, the customer's third-party PKI software generates and distributes client certificate/key pairs to client machines and a server certificate/key pair to the OpenVPN server.
How external PKI mode works for Access Server
Access Server issues and manages its certificates for the server and clients. This certificate infrastructure is the PKI. By default, Access Server automatically manages and provisions the necessary certificates. Switching to external PKI mode involves handing that management to a third-party tool. This changes how VPN client distribution occurs by using two channels rather than one:
Connection profile — The distribution of OpenVPN Connect and a bundled, connection profile. The app and profile contain instructions on connecting to the server and the software to make a connection. This can be done using the Client Web UI or by generating and distributing the client installer via the command-line tools.
Note
You must create server-locked profiles/installers for external PKI integration for Access Server prior to 2.14.2.
Certificate/key — The client certificate/key is generated by a third-party tool. This tool manages the external PKI solution. The tool generates the client certificates/keys and installs them on client machines using the host OS certificate/key store — iOS, macOS, Android Keychain, Windows certificate store, or Linux OpenSC. Access Server bundles the certificate/key with the connection profile for a standard Access Server setup, not using external PKI. External PKI requires them to be separate.
As of Access Server 2.14.2, external PKI mode supports user-locked, auto-login, and server-locked profiles. Prior versions only support server-locked profiles. For the VPN client, the server-locked profile must have a client certificate/key pair installed into the host OS keychain or certificate/key store to make a VPN tunnel connection. Some hardware devices or tokens contain a certificate registered with the certificate store using additional software when the token device/card is plugged in.
OpenVPN Connect doesn't require direct access to the private key, as it can perform RSA operations on the key via the CSP (cryptographic service provider) API provided by the host OS Keychain. This allows using cryptographic tokens or smartcards with the private key, making it physically impossible for any software running on the client machine (even at the root/Administrator level) to read the key directly.
Notice
OpenVPN Support for an external PKI system with Access Server is limited. This is because much of the system depends on how the system administrator sets it up, the external PKI mode disables many of Access Server's internal certificate management functions, a third-party product is involved, and we have no control over that external system.