To use the CSEL's OpenVPN server, you need an
OpenSSL certificate signed by our certificate
authority. To get a certificate, start by choosing a common name. We
will only accept requests for names that match your
email address plus a tag.
$ CN="email@example.com" $ openssl genrsa -out "$CN".key 2048 $ openssl req -new -key "$CN".key -out "$CN".csr -subj "/C=US/ST=Colorado/L=Boulder/O=University of Colorado/OU=Department of Computer Science/CN=$CN/emailAddressfirstname.lastname@example.org
A couple of things to note:
.keyis private, do not share it. The
.csr(certificate signing request) is public, it can be shared.
There can only be one active connection per certificate. It's fine to use the same certificate on e.g., your laptop and your desktop if only one will be connected at a time.
You can share one key among any number of certificates, however make sure you transfer your key securely among machines. There really isn't a drawback to using separate keys though.
A keysize of 2048 is sufficient, but you can choose others such as 1024 4192, etc if you so desire.
.csr is generated, email it to
will generate a
.crt (certificate) for you and place it in your CSEL
home directory. The
.crt is public, it can't be used for much without