Ora

How do I export a certificate from OpenVPN?

Published in OpenVPN Certificate Export 4 mins read

To export individual certificate and key files for a specific user from OpenVPN Access Server, you will typically generate the user's client configuration profile and then extract the separate certificate, private key, and Certificate Authority (CA) certificate components from it. This process is useful for manual client configurations, troubleshooting, or integrating with systems that require distinct certificate files.

Exporting Individual Certificate and Key Files from OpenVPN Access Server

Extracting separate certificate and key files provides granular control over your VPN client configurations. This method focuses on using the command-line interface (CLI) of your OpenVPN Access Server to obtain these critical security components.

Prerequisites for Exporting Certificates

Before you begin, ensure you have the following:

  • Administrator Access: You must have root or sudo access to your OpenVPN Access Server's terminal.
  • OpenVPN Access Server Installation: The server should be up and running.
  • Target User Account: Identify the specific user account for whom you wish to export the certificates.

Step-by-Step Guide to Extract Certificates

Follow these steps to generate and transfer the separate certificate files for a user account:

Step 1: Access Your OpenVPN Access Server Terminal

First, you need to sign on to your OpenVPN Access Server's terminal. This is typically done via SSH.

ssh root@your_access_server_ip_address

Replace your_access_server_ip_address with the actual IP address or hostname of your OpenVPN Access Server.

Step 2: Generate Separate Certificate Files for a User

From the Access Server's terminal, you will generate the user's client configuration profile (.ovpn) and then extract the individual certificate components.

  1. Navigate to the sacli directory:

    cd /usr/local/openvpn_as/scripts/

  2. Generate the user's client configuration profile:
    Use the sacli command to retrieve the full client configuration for the desired user. This will output the .ovpn file content to standard output.

    ./sacli --user <username> GetUserClientConfig > /tmp/<username>.ovpn

    Replace <username> with the actual username whose certificates you want to export (e.g., john_doe). This command saves the complete client profile to a temporary file, for example, /tmp/john_doe.ovpn.

  3. Extract the individual certificate components:
    The .ovpn file contains <ca>, <cert>, and <key> blocks. You can extract these using basic text processing commands.

    • Extract CA Certificate (ca.crt):

      sed -n '/<ca>/,/<\/ca>/p' /tmp/<username>.ovpn | grep -v -e '<ca>' -e '</ca>' > /tmp/<username>_ca.crt

    • Extract User Certificate (client.crt):

      sed -n '/<cert>/,/<\/cert>/p' /tmp/<username>.ovpn | grep -v -e '<cert>' -e '</cert>' > /tmp/<username>_client.crt

    • Extract User Private Key (client.key):

      sed -n '/<key>/,/<\/key>/p' /tmp/<username>.ovpn | grep -v -e '<key>' -e '</key>' > /tmp/<username>_client.key

    After running these commands, you will have three separate files in the /tmp/ directory on your server: <username>_ca.crt, <username>_client.crt, and <username>_client.key.

Step 3: Transfer the Exported Files

Finally, transfer these generated files from the server to your local machine. You can use secure copy protocol (SCP) or SFTP for this.

# From your local machine
scp root@your_access_server_ip_address:/tmp/<username>_ca.crt .
scp root@your_access_server_ip_address:/tmp/<username>_client.crt .
scp root@your_access_server_ip_address:/tmp/<username>_client.key .

Remember to replace root@your_access_server_ip_address and <username> with your actual server details and username. The . at the end means "copy to the current directory."

Understanding the Exported Files

When you export separate certificate files, you typically obtain three critical components. These files are essential for establishing a secure OpenVPN connection.

File Name (Example) Description Purpose
ca.crt Certificate Authority Certificate: The public certificate of the CA that issued the server's certificate. Verifies the authenticity of the OpenVPN server.
client.crt (User Cert) Client Certificate: The public certificate uniquely identifying the VPN client (user). Authenticates the client to the OpenVPN server.
client.key (User Key) Client Private Key: The private key corresponding to the client certificate. Used by the client to cryptographically prove its identity and establish the secure tunnel.

Use Cases for Separate Certificate Files

Exporting individual certificate components offers flexibility for various scenarios:

  • Manual Client Configuration: For advanced users or specific OpenVPN clients that require separate certificate files instead of a single .ovpn profile.
  • Integrating with Other Systems: When configuring devices or applications that need distinct .crt and .key files for authentication (e.g., routers, custom scripts).
  • Troubleshooting: Analyzing individual components can help diagnose connection issues.
  • Security Audits: Reviewing individual certificate details for compliance or security assessments.
  • Certificate Pinning: Implementing more stringent security measures by using specific certificate components.

For more detailed information on OpenVPN Access Server's command-line interface, refer to the OpenVPN Access Server CLI Reference.

← Previous Article
What to put on a leather dashboard?
Next Article →
What is the Derivative of cot(x)?