Extracting separate certificate files for a user

My device requires separate certificate files

OpenVPN Access Server combines the certificates and the instructions for the OpenVPN client program into one file: the connection profile or client.ovpn file. For OpenVPN open source client version 2.1 and OpenVPN Connect Client this will work fine. However, there are some situations that require having separate certificate files (CA, CERT, KEY and TA) as well as a separate config file in order to connect. You can encounter this on embedded solutions like routers and such that need separate files provided in fields in the GUI that they load into. Access Server has a command line method to get these separate files.

This page shows how to do this from start to end with screenshots available - just click the blue line to see the accompanying screenshot. You will also be needing a working OpenVPN Access Server, the root password for it, and the programs PuTTY and WinSCP. PuTTY will be used to access the server via an SSH session to run the script and create the separate files, and WinSCP will be used to copy the files off the server and onto a Windows workstation.

Generating and transferring the files

Start PuTTY and connect to the IP address of your server on port 22, SSH, and click 'Open'.

Enter the server's username and password. It must have root access. This is not the VPN client username!

In the next steps in this guide we are using the VPN client username 'novaflash'. Please substitute the username here that you wish to get the separate files for. Please note that if you want to get separate files for an 'autologin' profile, please append _AUTOLOGIN at the end of the username in the Get5 command. So in our example that would be: novaflash_AUTOLOGIN Get5. It's also worth noting that if you have TLS authentication disabled on the Access Server, that you will not be getting a ta.key file, and so you end up with only 4 files instead.

Execute command: cd /usr/local/openvpn_as/scripts/

Execute command: ./sacli --user novaflash AutoGenerateOnBehalfOf

Execute command: mkdir separate

Execute command: ./sacli -o ./separate --cn novaflash get5

Execute command: ls -la separate

You now have the separate files in the folder /usr/local/openvpn_as/scripts/separate/. The next step is to open up WinSCP, connect to the server, and copy the files to the local computer. If you are using Linux, you could also just use 'scp' to copy the files, but this following guide is for the average Windows users. We are assuming by the way that logging in directly with the root user account is enabled on your server. If it is not, and you're using another unprivileged account instead, and you can sudo su from there to get root privileges then that's fine too. But when you use WinSCP with a non-root account it's important to note that it does not have access to all the files and folders on the system, especially the ones owned by root. If you encounter that problem make sure to chown the files to make them readable and accessible by the unprivileged user. For example: chown <USERNAME> <FILENAME>

Start WinSCP, click 'Session', enter the address of the server, the username and password, select SCP and click 'Login'.

Once connected, click on the 'Open folder' icon and open: /usr/local/openvpn_as/scripts/separate/

Now select the files you see in the right panel (the server) and drag and drop them to your computer on the left.