← Back to blog
bpdubuntu

A Step-by-Step Guide to Creating OpenVPN Certificates with Easy-RSA

15 December 2025bpd · ubuntu

The Foundation of Your VPN’s Security

The ‘Ubuntu System Administration Guide’ breaks down the process of generating the necessary certificates for your OpenVPN server into manageable steps using the `easy-rsa` tool.

The Certificate Generation Workflow

  1. Initialize a PKI: The first step is to create a Public Key Infrastructure (PKI) environment, which will be the foundation for all your keys and certificates.
  2. Build a Certificate Authority (CA): You’ll create your own root CA. This CA will be used to ‘sign’ and validate the certificates for your server and clients, ensuring they trust each other.
  3. Generate a Server Certificate: Next, you’ll generate a certificate request and a private key for the OpenVPN server itself.
  4. Sign the Server Certificate: You’ll use your CA to sign the server’s certificate request, officially validating it.
  5. Generate Client Certificates: You will repeat the generation and signing process for each client device (e.g., your laptop or phone) that you want to connect to the VPN.

While it involves several steps, this process ensures your VPN connections are authenticated and secure.

This post is based from content of the book Ubuntu System adminstration guide. And the book can be found here https://www.amazon.com/stores/Mattias-Hemmingsson/author/B0FF5CQX13