Skip to content

OpenVPN – How to build X509 Server Certificates and Public Key Encryption on Windows


X509 certificates increase security compared to shared single symmetric keys.  Therefore we’ll generate X509 Certificates to authenticate our server and clients.  This means our clients contact the server, and if the server is their mothership, then they can connect.  Only children of the mothership can connect – which should keep out the NSA.

1. Download zipped Easy RSA


easy rsa 1Save File

c:\Program Files\ OpenVPN

Right click > extract files


Following files will be extracted and a KEYS directory created.

outputNow lets start getting the templates ready.

Step 2 – Initialise the Configuration (Template files)

Open Command prompt with Admin rights

Start > All Programs > Accessories > Command prompt >

Right click > Run as Administrator


Navigate to easy-rsa-ca

Double check that you have around 15 files plus a “keys” directory

easy 16 files

Run “init-config”

2 template files will be copied – vars.bat and openssl.cnf

init config

Next we select our variables (key sizes) and add them in.


Step 3 – Set Variables in Vars.bat

The vars.bat stores our variables for reuse and sets the Encryption key size

Use Windows Explorer  to Right click on Vars.bat


The Vars file allows us to increase the Symmetric Encryption key size

set KEY_SIZE=1024 (or set KEY_SIZE=2048)

set HOME to the directory where you saved easy-rsa-ca (eg. set HOME=%ProgramFiles%\OpenVPN\easy-rsa-ca)

Autoset the last five files – for location, city, email address as this saves typing later on.

edit vars

Next we create our own certificate authority.


Step 4 – Build a Certificate Authority (Build-ca)

Go back to your command prompt and:

Type vars and hit Enter.

Then type clean-all and hit Enter.

Finally, type build-ca and hit Enter.

It starts to GENERATE the KEYS .

It will autofill from the vars.bat file (just hit enter and the defaults will appear).

Only the ORG UNIT & Common Name needs to be typed in this time (eg common name = company name or VPNSERVER)

generating dh

Next we create the server keys


Step 5 – Build Server Key and a Server Certificate

In the same command prompt, type build-key-server server

(build-key-server VPNServer)

Common name of server could be VPNSERVER or UKSERVER

build server keyServer Challenge Password: (Create a password)

Sign = Y

Commit = Y

This command will output two files (a Server Key and a Server Certificate) in the easy-rsa/keys folder.

sign server certificate


Look in your Keys folderserver outputThe file with the extension .key is the server key, the file with extension .crt contains the server certificate, and the file with extension .csr hold the certificate signing request.


Whomever owns the ca.key and ca.crt is able to sign requests for your Certificate Authority.  This file must be kept totally secret, and should never leave the CA server, as it is the central essential key for your VPN.

Right click on the server.crt or server certificate – to see the info you used to create it

ukvpn cert

Now we need to build some client keys.  Each client will need it’s own key.  The “pairs” allow the client to dial into the mothership… and only the “blood relations” will be authenticated.  This prevents NSA surveillance, hackers and DDOS attacks.


Step 6 – Build your Client Key (repeat for each vpn client)

In the same command prompt type build-key vpnclient1.

Enter client password

Enter Common name eg vpnclient1

Enter a client challenge password

Enter Variables for client

Sign = Y

Commit =Y

client keyclient1 key

You will be asked to sign the certificate and to commit.

Type “y” for both and click Enter.

client1 key commit

If you check the “keys” directory, you’ll find 3 files for VPNClient1.

vpnclient1.crt = Signed certificate of the vpn client, must be on the vpn client.

vpnclient1.csr = Certificate signing request of vpnclient – can be deleted.

vpnclient1.key = Private RSA key of the vpn client, must be on the vpn client.

vpn clientSo the .crt and .key file must be transferred to the client.


Step 7 – Create the Asymmetrical Key (Diffie Helman Key)

The diffie Helman or DHkey is the public or asymmetrical key that protects the shared symmetrical RSA key.

In the same command prompt type build-dh.

This command will output one file (dh1024.pem or dh2048.pem) in the easy-rsa/keys folder.

build dh

Check the DH2048 key


As a test a DH8192 key was generated – and it takes hours.  The Server certificate, server keys and client keys are fast.. it’s the DH keys that are slow.

That’s it.  The X509 certificate, server key, client key and DH public keys have been created.. So what’s next to make it operational…

Well, I’ll cheat and give you a short overview.


Step 8 – Set up a Dynamic DNS for your IP (going beyond Key creation now)

Most home networks have dynamic IP’s – so we need to arrange a way for others to find you if the IP changes.

It’s important for OpenVPN to always know your network’s public IP address, and by using DynDNS, OpenVPN will always know how to locate your network no matter what your public IP address is.


Step 9 – .ovpn – client config files

In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\sample-config if you’re running 64-bit Windows 7 or

C:\Program Files\OpenVPN\sample-config if you’re running 32-bit Windows 7.

In this folder you will find the client.ovpn file.

Right click on client.ovpn and open it with Notepad.

We place in the details of our OpenVPN Server for the client to connect to.

client config

What the .ovpn looks like using the VPNBook- UDP Port 53 Client config file

– Client

– Protocol = UDP

– Remote = Server IP and Port

openvpn client config 7 vpnbook cert settings

-Resolve & retry = infinite = keep trying

-tun-mtu 1500 – standard MTU for Windows 7 (it autotunes the Maximum Transmission Unit).

ca = server.crt

comp-lzo = compression

cipher AES-256-CBC

We then connect using the client config file – following this how to guide.

How to automate your login for OpenVPN

VPN Server at 4096 bits

server 4096

VPN’s are fun.  Encryption is fun.  Now we put all the pieces of the puzzle together. 🙂

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: