A virtual private network (VPN) secures your data through tunneling, hiding your identity while browsing the internet. According to research by the USENIX Security Symposium, VPNs can be vulnerable to multitudes of cyberattacks.
So, VPNs do protect your data through tunneling, but attackers can execute man-in-the-middle attacks. In this attack, hackers try to access data in transit between the VPN server and the user’s device. SSL certificates can help your VPN servers avoid MITM and improve data security.
This guide will discuss the SSL certificate for your VPN server and how to install it. Let’s begin with the basics of SSL certificates first.
What is an SSL certificate?
SSL certificates are digital documents that protect the information during the transition from a web server and browser. It uses cryptographic encryptions with two sets of security pairs. One is public, and the other is a private security key.
Why is an SSL certificate necessary for VPN servers?
SSL certificates protect data in transit between your VPN server and the user’s connected device. There is no denying that secure tunneling of VPN does offer protection, but SSL enhances it through encryption. Some VPNs even have SSL protocols used by default to ensure higher protection.
Here are some key benefits of using an SSL certificate for your VPN servers.
- Secures data in transit
- Improves security of VPN connection
- Ensures better compliance with data regulations
- Authenticates recipient identity for data access
- Prevents man-in-the-middle attacks
- Improves user trust
How to get an SSL certificate for your VPN server?
Different CAs offer many features, and you can choose based on specific requirements. For example, you can choose a Comodo SSL certificate to secure OpenVPN, L2TP/IPSec, and PPTP VPN servers. In this example, Comodo is the CA which offers SSL certificates compatible with OpenVPN. Similarly, you must determine which VPN server you want to secure and choose the CA certificate accordingly.
These CAs offer multiple SSL certificates based on validation type, domain ownership, and how many domains or subdomains you want to secure. For example, a wildcard SSL certificate is the best option with multiple VPN servers. It helps you secure and manage multiple VPN servers with a single certificate.
Similarly, there are many different types of SSL certificates for your VPN servers, such as
- Domain Validation(DV) certificates are issued only after a CA verifies the domain ownership of the requestor.
- Organizational Validation(OV) certificates are the most secure SSL certificates and verify domain ownership with all organization information, including location and business registration.
- Extended Validation(EV) certificates are most secured due to conformity with X.509 Public Key Infrastructure(PKI) specification specification. CA validates not just domain ownership and organizational details but also the legal aspects of the requestor.
At the same time, CAs also offer certificates based on the number of domains or subdomains you want to secure,
- Single domain certificates help you secure one primary domain with SSL.
- Wildcard certificate helps secure more than one subdomains and one primary domain
- Unified Communications Certificate(UCC) or Storage Area Network (SAN) allows you to secure more than primary domain with SSL.
Once you have selected the type of certificate, submit a certificate signing request(CSR) with all the CA details. Further, CA will verify and issue an SSL certificate for your VPN server.
How to install an SSL certificate on a VPN server?
The process of installing SSL for your VPN server is to generate CSR. Here, we will take the example of OpenVPN. To generate CSR, you can use OpenSSL on your system.
Step 1: Generate CSR on OpenSSL
Use the following command to create a private key and CSR with 4096-bit RSA (SHA256),
openssl req -out server.csr -new -newkey rsa:4096 -sha256 -nodes -keyout server.key
Further, provide critical details like common name, country name, and others,
- Country Name (2-letter code) [AU]: US
- State or Province Name (full name) [Some-State]: California
- Locality Name (e.g., city) : San Francisco
- Organization Name (e.g., company) [Internet Widgits Pty Ltd]: Exampletronix, Inc.
- Organizational Unit Name (e.g., section) : IT Support
- Common Name (e.g., YOUR name) : vpn.exampletronix.com <- This is the FQDN name for your server.
- Email Address :[email protected]
- Please enter the following ‘extra’ attributes to be sent with your certificate request
- A challenge password :
- An optional company name :
Step 2: Submit the CSR
Submit the following things to a CA,
CA will verify the details and issue the SSL certificate. You can then install an SSL certificate on the VPN server. Taking the example of the OpenVPN server, let’s understand the installation process.
Step 3: Install SSL certificate for Your VPN server
Use the following commands to generate initial self-signed certificates,
./certool -d ../etc/web-ssl –type ca –unique –cn “OpenVPN Web CA”
./certool -d ../etc/web-ssl –type server –remove_csr –sn_off
It will be saved in the server directory- “/usr/local/openvpn_as/etc/web-ssl/.” You can replace the files in the directory with the ones sent by your CA, including the private key, certificate, and intermediary bundle.
You can use the configuration keys to replace the files. However, if these configuration keys are unavailable by default, the access server will use the self-signed certificate in the web SSL. So, if you want to use custom SSL for your VPN server, change the files in the web-ssl folder by importing the file to configuration database key values by using the following command,
./sacli –import GetActiveWebCerts
Importing the certificate is not enough to activate SSL for your VPN server. So, configure the server to use an SSL certificate on each user request for data access.
Step 4 Setup configuration database keys
Use the following commands to set configuration database keys for your private key, certificate, and intermediary bundle files,
For private key,
./sacli –key “cs.priv_key” –value_file “/etc/webcerts/vpn.yourdomain.com/privatekey.pem” ConfigPut
For certificate file,
./sacli –key “cs.cert” –value_file “/etc/webcerts/vpn.yourdomain.com/crt.pem” ConfigPut
For the CA bundle,
./sacli –key “cs.ca_bundle” –value_file “/etc/webcerts/vpn.yourdomain.com/intermediary_bundle.pem” ConfigPut
Once setup, the SSL certificates are installed and you can test them to check whether the certificate is actively running.
VPN offers protection for your data, but SSL ensures comprehensive website security. However, choosing an SSL certificate for a VPN is crucial based on certificate type, server, and CA specs. We have discussed all the factors critical to choosing and installing an SSL certificate on the VPN server. However, the steps can differ according to the type of VPN server you install the SSL certificate.