A beginner’s guide to generating certificates for OpenVPN

EasyRSA is a simple certification generation utility that allows you to generate multiple types of certificates. It also has the ability to generate a CSR(Certificate Signing Request) and sign it with the designated CA(Certificate Authority). The primary use for this utility is to generate certificates for use in OpenVPN in order to establish a secure VPN link between multiple endpoints.


If you’re just getting started in the realm of VPNs, or looking for another solution to your VPN woes. OpenVPN is one of the most commonly-used VPN solutions on the market today. It has been proven to be a very secure solution and for easy deployment, and comes in many flavors. It is currently available on Linux and Windows as well as in the form of an virtual appliance from companies such as Google, Amazon, Microsoft. OpenVPN is open source so it can be modified in anyway as desired.

EasyRSA Installation

For this guide, we are going to be using EasyRSA 3 which you can get from here. You will need to click on the green button labeled “Clone or download” and then click on “Download ZIP” to download our “master.zip” archive. While the setup process may be straightforward on Linux-based systems, Windows requires a little bit of maneuvering in terms of where to place the correct files in order to get the EasyRSA script to run.

Open the zip file you’ve just download with something such as WinRAR and click on the “easy-rsa-master folder inside it.

There’s a list of folders, the one we want to extract first will be for the Windows version. Go ahead and click on the “distro” folder. Before we go any further, create a folder named “EasyRSA” on your drive, it can be in any place you like. You will now see a folder called “windows”, go ahead and click on it. Hit CTRL and A key on your keyboard to select all files, now drag or extract the contents of the “windows” folder into your “EasyRSA” folder.

Your “EasyRSA” folder should look like this.

Next, go back to your archive file and click “..” twice at the top of your current folder. We are now going to navigate to the “easyrsa3” folder.

Hit CTRL and A again to select all of the files within the directory and drag/extract to your “EasyRSA” folder.

Your “EasyRSA” folder should now look like this. Now where it says “win32” and “win64”, depending on whether your version of Windows is a 32-bit or 64-bit(modern computers are 64-bit) we will be moving the files from one of those folders into our EasyRSA start directory. Lets go to the “win64” folder.

EasyRSA depends on OpenSSL to generate our certificates and signing them. As we did earlier, press both CTRL and A keys to select them all. Right-click and click “copy”. Head back to your “EasyRSA” folder, right-click and click “Paste”.

After everything is complete, your final setup should look like this. We should now able to start using EasyRSA without any issues. EasyRSA relies on a batch script called “EasyRSA-Start.bat” to run the program. Lets see if it runs.

Everything seems to be running perfectly. You will find that it uses a Linux-based shell which allows us to execute pre-defined bash scripts to create our certificates/keys. Before we get to cooking up some these, we will need to generate a folder for our certificates. To do that, under “EasyRSA Shell”, type the following:

./easyrsa init-pki

After hit enter. EasyRSA generates a folder called pki(Public Key Infrastructure) in the “EasyRSA”. This is where all of our certificates and keys will be placed once generated.

The “private” folder stores private keys for any certificate generated. “reqs” will store our CSR(Certificate Signing Request). There is also 2 “.cnf” files, it is best not to tamper with those and just let EasyRSA deal with them unless you have experience with OpenSSL. We are now going to generate our CA(Certificate Authority), type in the following:

./easyrsa build-ca

Hit enter. You will be asked to make up a passphrase for your CA. It is important to write whatever passphrase you create into a special file or piece of paper. This protects the CA’s private key stored in “pki\private\ca.key” from being compromised. Next, you will be asked to provide a “Common Name” for your CA certificate. Feel free to name it however you like. Press enter. Your CA certificate and CA key have been generated and ready to sign any certificates that you create.

You will now see “ca.crt” in your “pki” folder. If you go to your “private folder”, you will also see the “ca.key” which is your certificate’s private key. At this point, we are going to start generating certificates and keys for OpenVPN use. Next, we are going to generate a diffie-hellman key. This key will allow us to authenticate securely with an OpenVPN server. In order to generate one, we will be typing the following:

./easyrsa gen-dh

Depending on how fast your computer is, “This is going to take a long time”. 🙂

In all seriousness, you will want to wait between 15 to 30 minutes for it to finish. Most of the time it should finish very quickly(1 to 3 minutes). Once complete, this file will be placed in your “pki” directory as “dh.pem”.

Generating server and client certificates

For OpenVPN, the server will need its own set of certificates: ca.crt, server.crt, server.key and dh.pem. For client(s): ca.crt, client.crt, client.key. First, let’s generate a CSR(Certificate Signing Request) for the server certificate. Type in the following into EasyRSA:

./easyrsa gen-req insertCSRnamehere

Name your CSR file however you like. After, hit enter the process will begin. Again, you will need to put in a password to protection your certificate during authentication. You can also add “nopass” to the end of the command in order to skip that, but for additional security you should add one. Right after, you will be asked for a “Common Name”, again name it as you like. Your CSR file will be placed under the “req” folder in “pki” and key file under “private”.

It is now time to sign our CSR file. Type in the following command into EasyRSA:

./easyrsa sign-req server nameofyourCSRfile

Type “yes” to confirm your CSR’s common name. Your certificate will be pulled from the CSR and signed using our CA certificate generated earlier. You will be asked to enter the password of your CA key created earlier. Afterwards, your server certificate is created and place in the “issued” folder of “pki”.

The same applies to generating a CSR for your client certificates. Generate your CSR like you did earlier and then when you sign it type in the following:

./easyrsa sign-req client nameofyourCSRfile

Your client certificate will also be placed into the same folder as our server. You are free to generate as many client certificates as you like for your OpenVPN clients. Remember, in OpenVPN, all clients that connect to the server will be identified by their “Common Name” designated in their certificates so make sure that they’re uniquely named to avoid conflict.

Stay tuned for the OpenVPN guide. For more information on how to set it up, click here.