-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 To generate a client certificate for a specific client name, you’re on the right track with the commands you mentioned. Here's the step-by-step process, including generating and signing the client's certificate, and how to associate it with a specific certificate for your OpenVPN server. 1. Ensure You're in the Easy-RSA Directory:
Make sure you’re inside the Easy-RSA directory (i.e., /etc/openvpn/easy-rsa/).
cd /etc/openvpn/easy-rsa
2. Generate a Client Key Request:
You’ll need to generate the certificate signing request (CSR) for the client.
This creates a private key and a public key request (which will later be signed
by the CA).
Replace client_name with the actual name you want to assign to your client.
./easyrsa gen-req client_name nopass
client_name can be anything you prefer (e.g., client1, client_alice, etc.).
nopass means the key won’t be password-protected. If you want a password on
the key, omit nopass.
This will create the following files:
pki/private/client_name.key (private key for the client).
pki/reqs/client_name.req (CSR file).
3. Sign the Client Request with the CA:
Once the CSR is generated, you need to sign it using the server's certificate
authority (CA). This will create the client certificate.
./easyrsa sign-req client client_name
You will be prompted to confirm that you want to sign the request. Type yes
to approve it.
This will generate a signed certificate for the client:
pki/issued/client_name.crt (signed client certificate).
4. Distribute the Client Certificate and Key:
You need to transfer the following files to your client machine (or distribute
them securely):
pki/private/client_name.key (private key).
pki/issued/client_name.crt (signed client certificate).
pki/ca.crt (CA certificate, if not already done).
Optionally, if you're using ta.key for TLS authentication, you'll also need to
provide that key to the client (if you haven't already).
5. Optional: Generate Client Configuration File
On the client machine, you’ll need to create a configuration file for OpenVPN
(typically client.ovpn). A sample configuration would look like this:
client
dev tun
proto udp
remote <your-server-ip> <port>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client_name.crt
key client_name.key
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
Make sure to:
Replace <your-server-ip> with the IP address or domain of your OpenVPN
server.
Include the necessary certificate and key files on the client machine
(client_name.crt, client_name.key, ca.crt, ta.key).
Additional Considerations:
Revocation: If you ever need to revoke a client certificate, you can use
Easy-RSA’s revoke command. The client certificate will then no longer be valid.
Example:
./easyrsa revoke client_name
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/
Then, ensure OpenVPN is configured to use the CRL file (crl-verify
/etc/openvpn/crl.pem).
Client Directory Structure: When deploying certificates to clients, keep
the structure organized to prevent mixing up the different files (e.g., each
client in a separate directory with the correct certs and keys).
Once you’ve done this, your client should be ready to connect to your OpenVPN
server!
--
Sent with Proton Mail secure email.
On Saturday, 12 July 2025 at 10:52, Peter Davis via Openvpn-users
<openvpn-users@lists.sourceforge.net> wrote:
> Hello,
> I used the following commands to generate the Server Certificate:
>
> # cp -r /usr/share/easy-rsa /etc/openvpn/
> # cd /etc/openvpn/easy-rsa
> # mv vars.example vars
>
> # nano vars
>
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="NY"
> export KEY_ORG="MyName"
> export KEY_EMAIL="ad...@example.com"
> export KEY_OU="OpenVPN"
>
> # ./easyrsa init-pki
> # ./easyrsa build-ca nopass
> # ./easyrsa gen-req server nopass
> # ./easyrsa sign-req server server
> # ./easyrsa gen-dh
> # openvpn --genkey secret ta.key
>
> Then I edited the vars file with the new contents and issued the above
> commands to generate the new certificate. Then I created a directory for each
> certificate in the /etc/openvpn directory and moved the following files to
> the corresponding directory:
>
> # cp ta.key /etc/openvpn/DIRECTORY_NAME
> # cp pki/ca.crt /etc/openvpn/DIRECTORY_NAME
> # cp pki/private/SERVER_NAME.key /etc/openvpn/DIRECTORY_NAME
> # cp pki/issued/SERVER_NAME.crt /etc/openvpn/DIRECTORY_NAME
> # cp pki/dh.pem /etc/openvpn/DIRECTORY_NAME
>
> Now I want to generate keys for clients using the following commands:
>
> # ./easyrsa gen-req client_name nopass
> # ./easyrsa sign-req client client_name
>
>
> How do I generate my client for a specific certificate?
>
>
> Thank you.
>
>
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsC5BAEBCgBtBYJockg8CZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3Jn2NQBQXc0OPuHrAxNWx/kUfePLG+9bdpFmoyO
T2viEQIWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAA/68H/R3qEGUHUH6iUCwm
661mr0NVGb77GIpfxEV8zgnYq2FiTXtSP1etWu0DZhH/cmYiCDOE4Nm7KRkQ
l1HRtuZNeeYpNzz1hcOp/fJDLxZ5R1t4qHiYOhVHG3Ih1ORMzJIIQO3XoRjM
LhGmqWdddANwkuJeZ94GgXgEE7AIw+xYWMvUm1dkH9OClPyU3FTBGdxvLxOl
uin48Uuq8zeVvt7Xtrb/XYXxZKDV7bd3VJzYlFvhJdWw6jvwN5xuaan+NyAi
OEefW7xFFBF0ZTHaCyYIWZaPAB9OsqWf1flI40gatz3AZp9stI0efie8PrE+
P2STR4FDishYuLRUMcZhHuDWRmU=
=JpCe
-----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
