'How do you generate a certificate and key for VPN authentication
We have a network of VPN routers another engineer had set up, I need to add a new one. Each router seems to have two files a .key file and a .crt file
I was left with a bunch of certificates and keys of the others routers and a CA.crt.
How do I generate a .key and .crt to authenticate my router and connect to this network.
One of the routers is server and has a key and crt called rvss.key and rvss.crt but also this ca.crt
Solution 1:[1]
To add a new Router/Client/Server to the existing network, you first should figure out where your Certificate Authority is located at. In your case it sounds like each router has/is his own CA, which contains only a .key file and a .crt file. For each openvpn server/client you add, you will need to generate
- a client/server .key (private, secret) on the client or server
- a sign .req (request)
Now you copy the request to the CA and "sign" it. This will generate a client or server .crt (certificate) file. Copy the generated .crt along with the CA .crt back to the client/server. The client/server will need a minimum of four things to work:
- it's client/server key
- it's signed .crt from above
- the CA .crt
- a proper configuration (ip/port stuff and more)
For "simple" step by step instructions I'd recommend this Easy-RSA archwiki page followed by this Openvpn archwiki page. Please also note there are options to setup an Advanced PKI, containing multiple sub-CA's, which your "vpn routers" could possibly become, depending on the use case. Anyhow, in this case each router then will also need the "root" CA certificate, which seems not to be the case at the moment.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Marda |