I'm not sure if it sounds like a stupid question but all the guides I've looked at when it comes to making certificates for OpenVPN all use Easy-RSA.

Some of my servers such as my NAS, and OpenMediaVault server on my home LAN use SSL to encrypt the data, therefore I have created my own CA (certificate of authority) that is installed to each client. Having a single CA certificate installed automatically approves any of the certificates that are used on my servers saving installing multiple certificates on the client.

In regards to OpenVPN, I would rather skip making a second root certificate for OpenVPN and instead utilise the existing trusted root certificate I have made with OpenSSL already installed on my clients.

Is this possible?

Many thanks


Would the generation of the diffie hellman be the equivalent of the openssl req x509 command?

This is the first command I use when creating my OpenSSL certificates

openssl req -x509 -newkey rsa:4096 -keyout ca/cakey.pem -out ca/cacert.pem -days 3650 -sha256 -nodes -config configs/ca_openssl.cnf

I'm just trying to find out the equivalent commends to the easy-RSA

  • Is it possible, there shouldn't be any reason, you can't do what you want. If it's the best method, or the most secure, that entirely a subjective determination. Have you tried to do this and run into an error?
    – Ramhound
    Commented Nov 5, 2019 at 18:44
  • "Would the generation of the Diffie-Hellman be the equivalent of the openssl req x509 command?"- You are aware of the fact that you should not use Diffie-Hellman to generate any certificate, right? There is a known vulnerability.
    – Ramhound
    Commented Nov 5, 2019 at 22:58
  • Usually certificate creation doesn't involve DH at all – the DH parameters are completely independent of the cert type. (Although there are DH-based certificates, nobody ever uses them, and shouldn't.) Commented Nov 6, 2019 at 15:25

1 Answer 1


All guides use Easy-RSA because it's easy and it comes as part of OpenVPN.

Beyond that, however, OpenVPN uses completely standard RSA-based X.509 certificates, exactly like those used by HTTPS and other TLS. (The OpenVPN control channel even uses regular TLS, although within a custom multiplexing layer.)

The only important difference is that older OpenVPN versions used to be more strict about extended­Key­Usage than other TLS clients; for example if you used --remote-cert-tls client it would require the certificate to have only "TLS client" usage and would reject certificates which had server&client usage OIDs set (as is common for most TLS certificates).

Finally, OpenVPN clients don't require the CA certificate to be installed system-wide and in fact the authors discourage it somewhat. The CA certificate can just be included inline in the configuration file.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .