This guide covers how to create certificates and keys for OpenVPN server and clients using the EasyRSA tool on MacOS.

Apr 09, 2020  Generate a CA private key file using a utility (OpenSSL, cfssl etc) Create the CA root certificate using the CA private key. Server Certificate Creation Process. Generate a server private key using a utility (OpenSSL, cfssl etc) Create a CSR using the server private key. Generate the server certificate using CA key, CA cert and Server CSR. Apr 09, 2020 Generate a CA private key file using a utility (OpenSSL, cfssl etc) Create the CA root certificate using the CA private key. Server Certificate Creation Process. Generate a server private key using a utility (OpenSSL, cfssl etc) Create a CSR using the server private key. Generate the server certificate using CA key, CA cert and Server CSR. Sep 12, 2014 OpenSSL is a versatile command line tool that can be used for a large variety of tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS). This cheat sheet style guide provides a quick reference to OpenSSL commands that are useful in common, everyday scenarios. Create a server certificate. Next, you'll create a server certificate using OpenSSL. Create the certificate's key. Use the following command to generate the key for the server certificate. Openssl ecparam -out fabrikam.key -name prime256v1 -genkey Create the CSR (Certificate Signing Request). While Encrypting a File with a Password from the Command Line using OpenSSL is very useful in its own right, the real power of the OpenSSL library is its ability to support the use of public key cryptograph for encrypting or validating data in an unattended manner (where the password is not required to encrypt) is done with public keys. The Commands to Run Generate a 2048 bit RSA Key. Creating certificates and keys for OpenVPN server with EasyRSA on MacOS. This guide covers how to create certificates and keys for OpenVPN server and clients using the EasyRSA tool on MacOS. The generated CA certificate can now be found at pki/ca.crt. Step 5: Generate Server Certificate + Key.

The instructions are very similar for most flavours of linux such as Ubuntu once the correct packages are installed (e.g. on Ubuntu: apt-get install openvpn easy-rsa).

If privacy and security are of the utmost concern, generate all certificates and keys on a “clean” machine and verify the signatures of each download.

Step 1: Resolve MacOS Dependencies

This guide assumes that you’re running MacOS Sierra or later.

XCode and Command Line Tools

Ensure that you have installed the XCode Command Line Tools.

To check, the command xcode-select -p outputs a file path beginning with /Applications/Xcode.app/ if they are already installed.

If Command Line Tools is not installed, open the Terminal app and enter xcode-select --install to trigger the installation app.

Another way to trigger the installation app is to attempt to use a command line developer tool such as the GNU C compiler gcc (e.g. gcc --version). If the tools are not installed, you will be greeted by a graphical MacOS installation prompt instead of the expected Terminal output from gcc. You don’t necessarily need the full XCode so you can click the “install” button for just the command line tools.

Work your way through the installer and follow Apple’s steps until you can start working with the necessary commands. The CLI commands will become available to you after you agree to all of Apple’s terms and conditions.

If you experience troubles with the next step, assuming that it is the result of some future change by Apple, it may be beneficial to install the full XCode in addition to the CLI tools. It’s available for free on the App Store, but take note that it’s a hefty multi-gigabyte download.

OpenSSL

EasyRSA requires a late-version of the open-source openssl library.

Apple bundles its own crypto libraries in MacOS but these are generally out of date. At the time of writing, the openssl command bundled with MacOS is not likely compatible with EasyRSA and will produce errors if you try to use it (note: the binary is at /usr/bin/openssl).

A newer EasyRSA-compatible version of OpenSSL is easy to install with the brew package manager (https://brew.sh/). Installing via brew will not clobber or harm the Apple version that’s already on your system. If you need to install brew, go to the project’s website and follow the simple instructions on the landing page.

Assuming you have brew installed, open a Terminal and run the command:

Brew will download and install openssl to its default package install directory of /usr/local/Cellar.

The package will be installed in “keg only” mode: brew will not create a symlink for its openssl in /usr/local/bin or anywhere else in your $PATH. You will not have a conflicting openssl command, and Apple’s binary will remain intact.

To get EasyRSA to use the openssl binary installed by the brew package, you will need to know its path. Run brew’s package info command and examine the output:

In my example, I could see that openssl resolved to /usr/local/Cellar/openssl/1.0.2n. In your case, this may be a different path due to a more recent version being available in the future. Next, inspect this folder to locate the binary and determine the full path to it. In my example case, the full path to the binary was:

Note down the correct path to the openssl binary for your case. When configuring EasyRSA in the next step, you will need to specify this path in an EASYRSA_OPENSSL variable.

Step 2: Download EasyRSA

Go to https://github.com/OpenVPN/easy-rsa/releases and download the latest .tgz version for your Mac.

Save the file to a folder that you wish to work from (your certificates and keys will be generated here) and unpack it using the Archive utility (double click on it in Finder).

Note that the easy-rsa tools were written with traditional linux/unix-type environments in mind and therefore assume that all paths to the scripts have no spaces in them.

Going forward I will assume the path of your unpacked EasyRSA folder is: ~/vpn/easyrsa. The ‘~’ character is a shortcut to your home folder that works in Terminal, i.e. on a Mac its a placeholder for /Users/your_username and on a typical linux environment /home/username.

Step 3: Configure EasyRSA

Assuming that the path of your unpacked EasyRSA folder is: ~/vpn/easyrsa, open Terminal and navigate to the unpacked folder:

Copy the vars.example “starter” configuration file to vars:

Now customize the initial “starter” configuration file’s settings in vars to reflect your own.

Open it in a text editor and look for the following lines. Uncomment them (i.e. delete the preceding # character) and fill them in with your appropriate values. Specify something for each field below:

Look for the following field and uncomment it:

We’ll be using a 2048-bit key (the current default) for this example so the value will not be changed.

A larger key size is more secure but will result in longer connection + wait times over the VPN. At the time of writing in late 2017, its generally believed that a 2048-bit key is sufficient for most usage scenarios. A 4096-bit key is believed to provide additional privacy vs. more powerful state-sponsored actors.

EasyRSA by default uses the openssl binary found in the $PATH. Find the following line, uncomment it, and update the value with the path to the brew-installed openssl binary from Step 1. For example, in my case, the following line:

became:

Step 4: Generate Certificate Authority (CA)

Navigate into your easyrsa/ folder. For example:

Initialize the PKI (public key infrastructure) with the easyrsa script. This will create a pki/ subfolder:

Create the CA (certificate authority):

You will be prompted to input a Common Name. Input the name server and hit ENTER.

The generated CA certificate can now be found at pki/ca.crt.

Step 5: Generate Server Certificate + Key + DH Parameters

Assuming you’re still inside your easyrsa/ folder from the previous step, generate your server certificate and key:

The generated server certificate can now be found at: pki/issued/server.crt

The generated server key can now be found at: pki/private/server.key

Now generate the Diffie-Hellman (DH) parameters for key exchange. This process can take several minutes depending on your system:

The generated DH parameters can be found at: pki/dh.pem.

You now have all of the files necessary to configure an OpenVPN server.

Step 6: Generate client credentials

You should generate a unique set of credentials for each and every client that will connect to your VPN. You can repeat this step for any client that you need to create credentials for.

All clients in your setup should have a unique name. Change exampleclient in the following to something descriptive that you will recognize and be able to associate with the user/client:

The generated client certificate: pki/issued/exampleclient.crt

The generated client key can be found at: pki/private/exampleclient.key

When distributing credentials to a client, they will need at least these 3 files:

• A client certificate (e.g. pki/issued/exampleclient.crt)
• The corresponding client key (e.g. pki/private/exampleclient.key)
• A copy of the CA certificate (pki/ca.crt)

These client credentials can be loaded into a VPN app like Tunnelblick or Viscosity along with client configuration information that corresponds to your VPN server’s specific settings.

Understanding client config files

Client configuration information is usually provided in the form of an additional file: a plaintext config file with the .ovpn extension. Both Tunnelblick and Viscosity recognize the .ovpn extension and file format.

Later versions of openvpn support specifying all of the client configuration information, client certificate, client key, and CA certificate as demarcated blocks within the config file itself, so that clients only need to be provided with a single .ovpn file.

Security reminder

It is good to practice to try and keep all .ovpn, certificate, and key files as safe as possible with exposure to as few eyes/hands/hard-disks/clouds/etc as possible. Distribute them as securely as you can to your clients/users.

Next steps

Now you need a working openvpn server and a client that wishes to connect to your VPN!

I hope this guide was helpful to you. For all the server tutorials out there, as far as I know this is one of the few comprehensive guides out there for creating all required certificates and keys on MacOS.

Router as OpenVPN server

If your openvpn server is your router, you can now login to it’s admin control panel and input the server-related certificate + key + DH parameters that you created above.

Before you activate the VPN server, ensure that your router’s firmware is up-to-date and that you have set a long and reasonably secure password for the admin user.

Running your own server

If you are planning to setup your own openvpn server, there are numerous other resources available online to guide you through the server installation and configuration process for a variety of different operating systems.

You will find that you need all the keys and certificates that you created by following this guide.

These resources will generally include guidance for crafting .ovpn client configuration files to include specific settings that correspond to your server’s particular setup, so that clients can successfully connect.

Important: This example is intended to provide general guidance to IT professionals who are experienced with SSL requirements and configuration. The procedure described in this article is just one of many available methods you can use to generate the required files. The process described here should be treated as an example and not as a recommendation.

When you configure Tableau Server to use Secure Sockets Layer (SSL) encryption, this helps ensure that access to the server is secure and that data sent between Tableau Server and Tableau Desktop is protected.

Looking for Tableau Server on Linux? See Example: SSL Certificate - Generate a Key and CSR.

Tableau Server uses Apache, which includes OpenSSL. You can use the OpenSSL toolkit to generate a key file and Certificate Signing Request (CSR) which can then be used to obtain a signed SSL certificate.

Steps to generate a key and CSR

To configure Tableau Server to use SSL, you must have an SSL certificate. To obtain the SSL certificate, complete the steps:

2. Generate a key file.
3. Create a Certificate Signing Request (CSR).
4. Send the CSR to a certificate authority (CA) to obtain an SSL certificate.
5. Use the key and certificate to configure Tableau Server to use SSL.

You can find additional information on the SSL FAQ page on the Apache Software Foundation website.

Configure a certificate for multiple domain names

Tableau Server allows SSL for multiple domains. To set up this environment, you need to modify the OpenSSL configuration file, openssl.conf, and configure a Subject Alternative Name (SAN) certificate on Tableau Server. See For SAN certificates: modify the OpenSSL configuration file below.

Set the OpenSSL configuration environment variable (optional)

To avoid using the -config argument with every use of openssl.exe, you can use the OPENSSL_CONF environment variable to ensure that the correct configuration file is used and all configuration changes made in subsequent procedures in this article produce expected results (for example, you must set the environment variable to add a SAN to your certificate).

Open the Command Prompt as an administrator, and run the following command:

set OPENSSL_CONF=c:Program FilesTableauTableau Serverpackagesapache.<version_code>confopenssl.cnf

Notes:

• When setting the Open SSL configuration environment variable, do not enclose the file path with quotation marks.

• If you are using a 32-bit version of Tableau Server on a 64-bit computer, run the set OPENSSL_CONF=c:Program Files (x86)TableauTableau Serverpackagesapache.<version_code>confopenssl.cnf command instead.

Generate a key

Generate a key file that you will use to generate a certificate signing request.

1. Open the Command Prompt as an administrator, and navigate to the Apache directory for Tableau Server. For example, run the following command:

   cd C:Program FilesTableauTableau Serverpackagesapache.<version_code>bin

2. Run the following command to create the key file:

   openssl.exe genrsa -out <yourcertname>.key 4096

   Note: This command uses a 4096-bit length for the key. You should choose a bit length that is at least 2048 bits because communication encrypted with a shorter bit length is less secure. If a value is not provided, 512 bits is used.

Create a certificate signing request to send to a certificate authority

Use the key file you created in the procedure above to generate the certificate signing request (CSR). You send the CSR to a certificate authority (CA) to obtain a signed certificate.

Important: If you want to configure a SAN certificate to use SSL for multiple domains, first complete the steps in For SAN certificates: modify the OpenSSL configuration file below, and then return to here to generate a CSR.

1. Run the following command to create a certificate signing request (CSR) file:

   openssl.exe req -new -key yourcertname.key -out yourcertname.csr

   If you did not set the OpenSSL configuration environment variable, OPENSSL_CONF, you might see either of the following messages:

   • An error message about the config information being unable to load. In this case, retype the command above with the following parameter: -config .confopenssl.cnf.

   • A warning that the /usr/local/ssl directory cannot be found. This directory does not exist on Windows, and you can simply ignore this message. The file is created successfully.

   To set an OpenSSL configuration environment variable, see Set the OpenSSL configuration environment variable (optional) section in this article.

2. When prompted, enter the required information.

   Note: For Common Name, type the Tableau Server name. The Tableau Server name is the URL that will be used to reach the Tableau Server. For example, if you reach Tableau Server by typing tableau.example.com in the address bar of your browser, then tableau.example.com is the common name. If the common name does not resolve to the server name, errors will occur when a browser or Tableau Desktop tries to connect to Tableau Server.

Send the CSR to a certificate authority to obtain an SSL certificate

Send the CSR to a commercial certificate authority (CA) to request the digital certificate. For information, see the Wikipedia article Certificate authority and any related articles that help you decide which CA to use.

Use the key and certificate to configure Tableau Server

When you have both the key and the certificate from the CA, you can configure Tableau Server to use SSL. For the steps, see Configure External SSL.

Openssl Generate Keypair

For SAN certificates: modify the OpenSSL configuration file

In a standard installation of OpenSSL, some features are not enabled by default. To use SSL with multiple domain names, before you generate the CSR, complete these steps to modify the openssl.cnf file.

1. Open Windows Explorer and browse to the Apache conf folder for Tableau Server.

   For example: C:Program FilesTableauTableau Server<version_code>apacheconf

2. Open openssl.cnf in a text editor, and find the following line: req_extensions = v3_req

   This line might be commented out with a hash sign (#) at the beginning of the line.

   If the line is commented out, uncomment it by removing the # and space characters from the beginning of the line.

3. Move to the [ v3_req ] section of the file. The first few lines contain the following text:

   # Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

   After the keyUsage line, insert the following line:

   subjectAltName = @alt_names

   If you’re creating a self-signed SAN certificate, do the following to give the certificate permission to sign the certificate:

   1. Add the cRLSign and keyCertSign to the keyUsage line so it looks like the following: keyUsage = nonRepudiation, digitalSignature, keyEncipherment, cRLSign, keyCertSignhttps://ameblo.jp/orfootvole1974/entry-12632430429.html. Windows 7 pro key generator 64 bit.

   2. After the keyUsage line, add the following line: subjectAltName = @alt_names

4. In the [alt_names] section, provide the domain names you want to use with SSL.

   DNS.1 = [domain1]
DNS.2 = [domain2]
DNS.3 = [etc]

   The following image shows the results highlighted, with placeholder text that you would replace with your domain names.

5. Save and close the file.

6. Complete the steps in Create a certificate signing request to send to a certificate authority section, above.

Additional information

Openssl Generate Server Crt Key Replacement

If you prefer to use a different version of OpenSSL, you can download it from Open SSL for Windows.

Generate Crt Certificate Openssl