Home / server / Questions / 390275
Accepted
vfclists
Asked: 2012-05-18 23:18:52 +0800 CST

How can an OpenVPN server be setup to use multiple certificates?

  • 772

The OpenVPN documentation sets up a single certificate from a single CA to be used for all clients.

Is there a way to set the server to enable multiple certificates from different CAs so long as the clients have valid certificates from trusted authorities?

openvpn certificate certificate-authority

3 Answers

  1. According to the manpage, the file specified by the ca option can contain multiple certificates, and there is also a capath option to specify a directory containing multiple certificate files. Try using these on the server to point to all the CA certificates you want to verify clients against.

    • 2

  2. one way to do it is to have multiple configuration files and multiple instances of openvpn listening on different ports.

    each client will have to be configured with either address and port of the right instance [or if you want to use same config file and it's ok to have longer connection time] a list of all available addreses/ports in form: 

    remote server.address 10001
remote server.address 10002
remote server.address 10002
    • 1
  3. Best Answer

    AFAIK, the OpenVPN documentation sets you up to use a different certificate for each client. It's true that they're all signed by the same CA, but that doesn't make them all the same certificate. You should mint a new certificate for each client (otherwise revocation becomes a very unpleasant all-or-nothing proposition). Is a different certificate for each client, all signed by the same CA, not enough to do what you want?

    My apologies if you already knew that OpenVPN would do this, and there are good reasons why it doesn't work for you; but your question didn't suggest that you were aware of this.

    • 1