Extracting separate certificate files for a user

Introduction

OpenVPN Access Server combines the certificates and connection instructions into one file: the connection profile or client.ovpn file. This works great for our official VPN client, OpenVPN Connect.

My device requires separate certificate files

What if your device needs separate certificate files?

There are situations where you need separate certificate files (CA, CERT, KEY, and TA) and a separate config file to connect. You can encounter this on embedded solutions such as routers where you provide separate files to load into unique fields in the GUI. Access Server has a command-line method to get these separate files.

This document provides you with the steps to do the following:

  1. Sign in to Access Server.
  2. Generate files for the VPN user account.
  3. Transfer those files to your computer.

After that, it’s up to you to put the files where you need them for the VPN client connection.

Generating and transferring the files

Sign on to your Access Server’s terminal

  1. Connect to your server. You can do this through the terminal, directly to your server, or using an app like PuTTY.
  2. Sign in with root access, whether you sign on directly as root or sudo up. Note: This is not the VPN client username.

Generate files for the user account

For these next steps, we are using the VPN client username, ‘novaflash’. Ensure you substitute your username for these commands. If you don’t have the user for the VPN client you’ll be using, refer to Adding and Configuring Users to do that first. 

If you want to get separate files for an autologin profile, you must append _AUTOLOGIN at the end of the username in the Get5 command. In our example, that would be novaflash_AUTOLOGIN Get5.

Finally, if you have TLS authentication disabled on Access Server, you will not be getting a ta.key file, so you end up with only four files instead (even though the command is get5).

Here are the steps for generating separate files:

  1. Change directory to the scripts directory: cd /usr/local/openvpn_as/scripts/
  2. Execute command: ./sacli --user novaflash AutoGenerateOnBehalfOf
    The likely response is AutoGenerateOnBehalfOf returned none
  3. Execute command: mkdir separate
  4. Execute command: ./sacli -o ./separate --cn novaflash get5
  5. Execute command: ls -la separate

The last command lists the now separated files stored in the folder /usr/local/openvpn_as/scripts/separate/.

Transfer the files

Now that you have separated files, you need to transfer them to the local computer. If you’re using Linux, you can use scp to copy the files. The steps below are for Windows users.

Note: These steps assume that you can log in directly with the root user account. If this isn’t enabled on your server, one option is to sign in as an unprivileged account and sudo su to get root privileges. But, when you use WinSCP with a non-root account, it doesn’t have access to all files and folders on the system, especially those owned by root. To address this, you need to chown the files to make them readable and accessible to the unprivileged user. For example: chown <USERNAME> <FILENAME>.

Here are the steps for transferring the files using WinSCP:

  1. Start WinSCP and click Session.
  2. Enter the server’s address, the username, and password.
  3. Select SCP under File protocol.
  4. Click Login.
  5. Once connected, click the Open folder icon for the server and open /usr/local/openvpn_as/scripts/separate/.
  6. Select the files from the …/separate/ folder on the server to drag and drop them to a folder on your computer in the left pane.
    1. From our example, we copied over ca.crt, client.crt, client.key, client.ovpn, and ta.key.

You should now have the separated files saved to your computer for your use.