There are tons of guides on the web on how to generate certificates for OpenVPN, and many use a great little piece of software called “easy-rsa”. However most of these guides are for either a Windows PC or pure linux. It is surprisingly difficult to find any guide for doing this on a Mac, and the information I was able to find (as of this writing) was all outdated. I am writing this guide for myself in case I need to re-do the process. I’m using mostly the guide from Kevin Firko with bits of information found here and there…
Criticism of existing guides
The first thing that is wrong with most of the online Mac guides is the statement that
openssl on your Mac is outdated and that it will fail when using
A simple call:
openssl version on my Mac running OSX Mojave revealed this: “OpenSSL 1.1.1g 21 Apr 2020” – which actually (as of this writing) is the most up-to-date version of OpenSSL.
The other guides then tell you to use
brew to install a custom version of OpenSSL on your mac, but I am consistently resistant to using Brew, and in this case it turned out an unnecessary step. Let’s move on.
Second thing that is wrong with all the guides I found, although not as much as the first thing, is that they all recommend 2048 key size. If I am going to generate a certificate that is supposed to work for the next 10 years, I’d better make it as future-proof as possible, and therefore I think 4096 is a better number.
Installing and configuring easy-rsa
Step #1: Make sure that you have Xcode installed and up to date. If not, install it.
Step #2: Download the easy-rsa script from https://github.com/OpenVPN/easy-rsa/releases – use the most recent version, and get the “.tgz” file, it’s made for linux computers.
Step #3: Double-click the downloaded file – it will unzip into a folder. Rename the folder to “easyrsa” for convenience.
Step #4: Open the Terminal, go into the “easyrsa” folder and copy and edit the “settings” file:
cd ~/Downloads/easyrsa cp vars.example vars vi vars
Step #5: In the “vars” file look for the lines
#set_var EASYRSA_REQ_COUNTRY "US" #set_var EASYRSA_REQ_PROVINCE "California" #set_var EASYRSA_REQ_CITY "San Francisco" #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #set_var EASYRSA_REQ_EMAIL "email@example.com" #set_var EASYRSA_REQ_OU "My Organizational Unit"
Uncomment them and put correct info in between the quotes. In case you’re unfamiliar with “vi” – you need to press
I to start editing. Next look for the following line:
#set_var EASYRSA_KEY_SIZE 2048
Uncomment and change the
Then save the file (press Esc, then type
:wq and hit Enter). You’re now ready to start generating the certificates.
Generate the certificates
The following piece comes directly from the Kevin Firko’s guide – no changes here. I am just going to copy the commands – for the description please refer to the original post. For server certificates, enter server as the common name.
./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa build-server-full server nopass ./easyrsa gen-dh
For client certificates, enter a proper name for each client (replace your-device-name):
./easyrsa build-client-full your-device-name nopass
Repeat for each client that is supposed to connect to your OpenVPN.
And that’s it!
You will find all the certificates in the /pki folder within your easyrsa folder. The client certificates are located in further subfolders to /pki.