OpenVPN - can I use an existing SSL certificate?

I want to setup OpenVPN server for my personal usage. I own domain and I have valid SSL certificate for this domain (issued by StartSSL).

At the beginning of the setup instructions for OpenVPN there's a section describing generation of my own certificate authority used later to issue self-signed certificates.

I wonder if I can use my existing SSL certificate for that purpose? Do I have any advantages doing that?

For example I used this certificate for mail server SSL and mail clients do not complain about self-signed certificates. Do OpenVPN clients use well known root certificates to check server's certificate or they do not employ this infrastructure and self-signed certificate will work fine?


Solution 1:

How are you planning on doing client authentication? Are you planning on doing cert-based client authentication, or something else?

I wonder if I can use my existing SSL certificate for that purpose? Do I have any advantages doing that?

Yes you probably could get away with re-using a certificate, so long as your cert subject value matches the name of your OpenVPN server.

This is almost certainly a bad idea though. There are little or no advantages to do it. You will probably make things more difficult and confusing for yourself if you try and you aren't very well versed in how PKI works.

In any case, for your first VPN server I strongly suggest following the guide as it is written before you try doing anything fancy with external CAs, or 3rd party certificates. OpenVPN is extremely flexible, but it is best to stick with the standard method to start.

Do OpenVPN clients use well known root certificates to check server's certificate or they do not employ this infrastructure and self-signed certificate will work fine?

Generally when setting open OpenVPN clients you give the client the CA cert in addition the suggested configuration.

Solution 2:

While this answer is much later than your original question, your question is the first link that came up when I googled OpenVPN StartSSL and I hope my experience can help someone else who is trying to do the same thing.

With a bit of playing around, I have been able to get OpenVPN working with free StartSSL server and client certificates with one year validity.

StartSSL does not allow its Web Server SSL/TLC Certificates to be used on the client side, so I generated multiple S/MIME and Authentication Certificates (using email+[clientname]@[mydomainname]) and exported them from the browser.

I had to convert the S/MIME and Authentication Certificates from pfx file types to keys and certificates using openssl. I followed this guide.

Then I had to combine the client key and various keys/certificates together into an OVPN file (I used a ta key too). I adapted someone else's script to do this from the command-line. Code here.

I was originally stumped by certificate verification errors, particularly:

VERIFY ERROR: depth=0, error=unable to get local issuer certificate

For me, the key was downloading ca.pem, sub.class1.server.ca.pem and sub.class1.client.ca.pem from StartSSL then combining the three:

cat ca.pem sub.class1.server.ca.pem sub.class1.client.ca.pem > ca-COMBINED.pem

I used this in my server.conf for OpenVPN and chocks were away!