Support / Knowledge Base / How to Create Certificates For VPN Use in Digi Connect Products

How to Create Certificates For VPN Use in Digi Connect Products

1)  You will first need to download a program that can create certificates for VPN use.  The program that was used for this guide is OpenVPN version 2.1.1.  The program can be downloaded at the following link:
 
http://www.openvpn.net/release/openvpn-2.1.1-install.exe
 
2)  After installing the above program, you will first need to create a Master Certificate Authority certificate and key:
 
NOTE:  This key is not be used during the VPN setup.  It is only used by the machine (PC) that is signing the certificates.
 
a)  Open a command prompt, and navigate to the folder the program was installed into, then    into the 'easy-rsa' subdirectory.  By default, the path is C:\Program Files\OpenVPN\easy-rsa.
 
b)  Run the following command:
 
init-config
 
c)  This will have created a 'vars.bat' file on the system.  Edit these parameters with a text editor               to match your company information:  KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and                KEY_EMAIL
 
d)  Next, run the following commands in this order:

vars
clean-all
build-ca

 
e)  The program will now prompt you for information.  As long as the 'vars.bat' file was edited    properly, you should be able to accept the defaults you are given.  The only exception will be the         Common Name field, which you will need to put in an actual name.  After this is done, you will now have the 'ca.crt' and 'ca.key' files in the C:\Program Files\OpenVPN\easy-rsa\keys folder.  (This is the folder where all of the certificates will end up)
 
3)  The next step in the process will be to generate the certificate and key for the 'Server' side of the setup:
 
a)  Staying in the same directory as before, from the command prompt type:
 
build-key-server server
 
b)  The next screens will look the same as the previous step.  Once again, the only field that        needs to adjusted, with information besides the defaults, is the Common Name field.  For this         example, use the Common Name 'server'.
 
c)  After these steps, two new steps will appear that you must answer 'yes' to in order to             generate the certificates.
 
d)  After answering 'yes' to two options, you will now have 'server.crt' and 'server.key' files in    the C:\Program Files\OpenVPN\easy-rsa\keys folder.
 
4)  The last step is to create the certificate and key for the ‘Client’ side of the setup:
 
a)  Staying in the same directory as before, from the command prompt type:
 
build-key client1
 
b)  The next steps will be the same as the server setup, except the Common Name field will       want to be something unique, such as 'client1'.
 
c)  You will also need to say 'yes' to the two additional options that show up on the screen to      complete the certificate generation process.
 
5)  Once this has been completed, you will how have the 5 files necessary to build the VPN tunnel.  If you used the naming from this guide, you should have the following files:
 
ca.crt
server.crt
server.key
client1.crt
client1.key
 
6)  Once you have the certificates, you will need to load them into the Digi device using these steps:
 
a)  Log into the WebUI, and navigate to Administration > X.509 Certificate/Key Management.
 
b)  Click on “Certificate Authorities (CAs) / Certificate Revocation Lists (CRLs)”.
 
c)  Browse to the file called ca.crt and click Upload.  This will upload the file into the “Installed     Certificate Authority Certificates” section.
 
d)  After loading the ca certificate, scroll down on the page and click on “Virtual Private Network               Identities”.
 
e)  Click the Browse button, and Upload both the server.crt and server.key into the device.  (Or               use the client1.crt and client1.key if the server keys were used on the other side of the VPN     connection.)
 
7)  After loading the certificates into the locations indicated above, the VPN should now be able to be build built using certificates.
 
NOTE:  You will need to load the appropriate certificates into the other VPN appliance as well, or this setup will not work.
 
Last updated: Aug 23, 2017

Filed Under

Cellular/Transport

Recently Viewed Articles

No recently viewed articles
Contact a Digi expert and get started today! Contact Us