The server only needs its own certificate/key - it doesn't need to know the individual certificates of every client which might possibly connect to it. This security model has a number of desirable features from the VPN perspective: OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.īoth server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).
The PKI consists of:Ī separate certificate (also known as a public key) and private key for the server and each client, andĪ master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates. The first step in building an OpenVPN 2.x configuration is to establish a PKI (public key infrastructure). Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
