1) You will first need to download a program that can create certificates for VPN use. The program that was used for this guide is OpenVPN version 2.1.1. The program can be downloaded at the following link:
https://openvpn.net/community-downloads/
2) After installing the above program, you will first need to create a Master Certificate Authority certificate and key:
NOTE: This key is not be used during the VPN setup. It is only used by the machine (PC) that is signing the certificates.
a) Open a command prompt, and navigate to the folder the program was installed into, then into the 'easy-rsa' subdirectory. By default, the path is C:\Program Files\OpenVPN\easy-rsa.
b) Run the following command:
init-config
c) This will have created a 'vars.bat' file on the system. Edit these parameters with a text editor to match your company information: KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL
d) Next, run the following commands in this order:
vars
clean-all
build-ca
e) The program will now prompt you for information. As long as the 'vars.bat' file was edited properly, you should be able to accept the defaults you are given. The only exception will be the Common Name field, which you will need to put in an actual name. After this is done, you will now have the 'ca.crt' and 'ca.key' files in the C:\Program Files\OpenVPN\easy-rsa\keys folder. (This is the folder where all of the certificates will end up)
3) The next step in the process will be to generate the certificate and key for the 'Server' side of the setup:
a) Staying in the same directory as before, from the command prompt type:
build-key-server server
b) The next screens will look the same as the previous step. Once again, the only field that needs to adjusted, with information besides the defaults, is the Common Name field. For this example, use the Common Name 'server'.
c) After these steps, two new steps will appear that you must answer 'yes' to in order to generate the certificates.
d) After answering 'yes' to two options, you will now have 'server.crt' and 'server.key' files in the C:\Program Files\OpenVPN\easy-rsa\keys folder.
4) The last step is to create the certificate and key for the ‘Client’ side of the setup:
a) Staying in the same directory as before, from the command prompt type:
build-key client1
b) The next steps will be the same as the server setup, except the Common Name field will want to be something unique, such as 'client1'.
c) You will also need to say 'yes' to the two additional options that show up on the screen to complete the certificate generation process.
5) Once this has been completed, you will how have the 5 files necessary to build the VPN tunnel. If you used the naming from this guide, you should have the following files:
ca.crt
server.crt
server.key
client1.crt
client1.key
6) Once you have the certificates, you will need to load them into the Digi device using these steps:
a) Log into the WebUI, and navigate to Administration > X.509 Certificate/Key Management.
b) Click on “Certificate Authorities (CAs) / Certificate Revocation Lists (CRLs)”.
c) Browse to the file called ca.crt and click Upload. This will upload the file into the “Installed Certificate Authority Certificates” section.
d) After loading the ca certificate, scroll down on the page and click on “Virtual Private Network Identities”.
e) Click the Browse button, and Upload both the server.crt and server.key into the device. (Or use the client1.crt and client1.key if the server keys were used on the other side of the VPN connection.)
7) After loading the certificates into the locations indicated above, the VPN should now be able to be build built using certificates.
NOTE: You will need to load the appropriate certificates into the other VPN appliance as well, or this setup will not work.
Last updated:
Jan 09, 2024