Creating Certificates
In the last chapter we successfully set up our first tunnels using pre-shared keys with static encryption, but in the initial chapters we learned why X509 certificates provide a much better level of security than pre-shared keys do. There is, however, slightly more work to be done to set up and connect two systems with certificate-based authentication. The following five steps have to be accomplished:
1. Create a CA certificate for your CA with which we will sign and revoke client certificates.
2. Create a key and a certificate request for the clients.
3. Sign the request using the CA certificate and thereby making it valid.
4. Provide keys and certificates to the VPN partners.
5. Change the OpenVPN configuration so that OpenVPN will use the certificates and keys, and restart OpenVPN.
There are a number of ways to accomplish these steps. easy-rsa is a command-line tool that comes with OpenVPN, and exists both on Linux and Windows. On Windows systems you could create certificates...
