Generate OpenVPN Certificates and Keys

Generate OpenVPN certificates and keys for Yeastar S-Series VoIP PBX and clients.

Important: Commands below are executed in one Command Prompt window.

If you want to open a new Command Prompt window to execute commands (i.e. create certificates for new client):

  • Each time you open a new Command Prompt window, you need to execute vars command first, then execute other commands.
  • You don’t need to execute init-config command, unless you want to edit vars.bat file again.

Initialize the OpenVPN configuration

  1. Press Windows Key and R key, type cmd and press Enter key.
  2. Navigate to %ProgramFiles%\OpenVPN\easy-rsa (e.g. D:\OpenVPN\easy-rsa).
    cd D:\OpenVPN\easy-rsa
  3. Initialize the configurations.
    init-config
  4. Open the vars.bat file in a text editor.
    notepad vars.bat
    1. Change the KEY_SIZE settings.
      Usually, set the private key size to 1024 or 2048.
      set KEY_SIZE=2048
    2. Edit the following lines to display your address and company.

      Later, when you make CA, certificates and keys, you will be asked to enter information that will be incorporated into your certificate request. If you change the default variables below, you don’t have to enter these information each time.

      set KEY_COUNTRY=CN
set KEY_PROVINCE=FJ
set KEY_CITY=Xiamen
set KEY_ORG=Yeastar
set KEY_EMAIL=support@yeastar.com
    3. Save the vars.bat file and back to Command Prompt window.
  5. Run the following commands, make sure you are operating in a clean environment.
    CAUTION: This will remove all certificates and keys from the keys directory.
    vars
clean-all

Build Certificate Authority (CA)

  1. Run the following command to create the ca.crt and ca.key file in the keys directory.
    build-ca
  2. When prompted to enter information that will be incorporated into your certificate request, enter your country, organization, etc.

    Or press the Enter key to use the preset values appeared in brackets.

    Important: The only parameter that must be explicitly entered is the Common Name. In the example below, we set Common Name to OpenVPN_CA.
    Country Name (2 letter code) [CN]:
State or Province Name (full name) [FJ]:
Locality Name (eg, city) [Xiamen]:
Organization Name (eg, company) [Yeastar]:
Organizational Unit Name (eg, section) [changeme]:admin
Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN_CA
Name [changeme]:Yeastar
Email Address [support@yeastar.com]:

Build certificate and key for server

  1. Run the following command to create the {server_name}.crt and {server_name}.key file in the keys directory.
    In the command below, we create server.crt and server.key.
    build-key-server server
  2. When prompted to enter information that will be incorporated into your certificate request, enter your country, organization, etc.

    Or press the Enter key to use the preset values appeared in brackets.

    Important: The only parameter that must be explicitly entered is the Common Name. Enter the same name as{server_name}. In the example below, we set Common Name to server.
    Country Name (2 letter code) [CN]:
State or Province Name (full name) [FJ]:
Locality Name (eg, city) [Xiamen]:
Organization Name (eg, company) [Yeastar]:
Organizational Unit Name (eg, section) [changeme]:admin
Common Name (eg, your name or your server's hostname) [changeme]:server
Name [changeme]:Yeastar
Email Address [support@yeastar.com]:
  3. When prompted to sign the certificate and commit, type y and press the Enter key.
    Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Build certificate and key for client

  1. Run the following command to create the {client_name}.crt and {client_name}.key file in the keys directory.

    In the command below, we create client.crt and client.key.

    build-key client
  2. When prompted to enter information that will be incorporated into your certificate request, enter your country, organization, etc.

    Or press the Enter key to use the preset values appeared in brackets.

    Important: The only parameter that must be explicitly entered is the Common Name. Enter the same name as {client_name}. In the example below, we set Common Name to client.
    Country Name (2 letter code) [CN]:
State or Province Name (full name) [FJ]:
Locality Name (eg, city) [Xiamen]:
Organization Name (eg, company) [Yeastar]:
Organizational Unit Name (eg, section) [changeme]:admin
Common Name (eg, your name or your server's hostname) [changeme]:client
Name [changeme]:Yeastar
Email Address [support@yeastar.com]:
  3. When prompted to sign the certificate and commit, type y and press the Enter key.
    Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
  4. Repeat steps 1 to 3 to create Certificate & Key for each client respectively.

    For each client, choose a name to identify, such as Windows.crt and Windows.key for Windows PC.

Build a ta.key

Run the following command to create ta.key file in the keys directory.

OpenVPN --genkey --secret keys/ta.key

Generate Diffie Hellman parameters

build-dh