Extracting separate certificate files for a user


Connection profiles (.ovpn text files) contain the directives, parameters, and certificates required to establish the server-client connection. This commonly includes addresses and ports to contact the server, information verifying the server identity, securing the TLS control channel, and other settings. An OpenVPN client will need such information to establish a connection to an OpenVPN server.

With our OpenVPN Access Server product, we prefer to use connection profiles that bundle all necessary information into one file. This works well with almost all OpenVPN clients, particularly our OpenVPN Connect client software. For some open-source-based OpenVPN clients, splitting out the certificates and keys from the connection profile may be necessary, and we provide the tools and information to do that.

My device requires separate certificate files

Access Server provides a way to generate a connection profile as separate files. This document provides you with the steps to do the following:

  1. Sign in to Access Server.
  2. Generate separate files for an Access Server user.
  3. Transfer those files to your computer.

After that, you can place the files where they need to be so the OpenVPN client can establish a connection.

Generating and transferring the files

Sign on to your Access Server’s terminal

  1. Connect to your server. You can do this through the terminal, directly to your server, or using an app like PuTTY.
  2. Sign in with root access, whether you sign on directly as root or sudo up. Note: This is not the VPN client username.

Generate files for the user account

For these next steps, we use the VPN client username, ‘novaflash’. Ensure you substitute your username for these commands. If you don’t have the user for the VPN client you’ll be using, refer to Adding and Configuring Users to do that first. 

Go to the scripts directory and create a subfolder separate:

cd /usr/local/openvpn_as/scripts/
mkdir ./separate

Save a separate files version of a user-locked profile:

./sacli --prefer-tls-crypt-v2 -o ./separate --user "novaflash" GetUserlogin5

Or save separate files version of an auto-login profile:

./sacli --prefer-tls-crypt-v2 -o ./separate --user "novaflash" GetAutologin5

Notes regarding the use of these commands:

  • The files will be saved in the /usr/local/openvpn_as/scripts/separate/ directory and can be found there.
  • Access Server 2.9 or newer supports TLS Crypt v2. If you use an older Access Server or do not wish to use TLS Crypt v2, please omit the --prefer-tls-crypt-v2 flag.
  • Autologin profiles require the user to have autologin permission, whether granted directly or inherited. By default, autologin permission is denied.
  • We recommend enclosing usernames in double-quotes ("), particularly when they contain spaces.
  • For GetUserLogin5 and GetAutologin5, you can specify the output directory with the -o parameter (./separate in the example).

More information on separate files

The GetUserlogin5 and GetAutlogin5 functions output several separate files. Depending on your TLS control channel configuration, the last two files in the overview below may not be needed or even present.

  • client.ovpn — OpenVPN connection profile
  • ca.crt — Server CA certificate
  • client.crt — Client certificate
  • client.key — Client private key
  • ta.key — TLS control channel key (tls-auth or tls-crypt-v1)
  • tls_crypt_v2.key — TLS control channel key (tls-crypt-v2)

Transfer the files

Now that you have separate files, you need to transfer them to the local computer. If you’re using Linux or macOS, you can use scp to copy the files. The steps below are for Windows users.

Note: These steps assume you can log in directly with the root user account. If this isn’t enabled on your server, one option is to sign in as an unprivileged account and sudo su to get root privileges. But, when you use WinSCP with a non-root account, it doesn’t have access to all files and folders on the system, especially those owned by root. To address this, you need to chown the files to make them readable and accessible to the unprivileged user. For example: chown <USERNAME> <FILENAME>.

Here are the steps for transferring the files using WinSCP:

  1. Start WinSCP and click Session.
  2. Enter the server’s address, username, and password.
  3. Select SCP under File protocol.
  4. Click Login.
  5. Once connected, click the Open folder icon for the server and open /usr/local/openvpn_as/scripts/separate/.
  6. Select the files from the …/separate/ folder on the server to drag and drop them to a folder on your computer in the left pane.

You should now have the separate files saved to your computer for your use.