Powershell – Self-signed Certificate via Self-signed Root CA
The inspiration for this post came from my OpenVPN AWS instance and recent experience testing Server 2016 ADFS. I wanted to stretch my legs beyond the simple flat certs I used for ADFS and sort of re-create a root CA signing event. The OpenVPN Access Server was a great platform as it expects a CA bundle, a server certificate, and a server private key – all in .pem format. I was able to complete the base certificates using powershell but had to leverage openssl eventually to get the .pem formats. You are running bash on windows, yes? OK , good.
Step 1 – Create the root certificate
$params = @{ DnsName = "infiniteloop.io Root Cert" KeyLength = 2048 KeyAlgorithm = 'RSA' HashAlgorithm = 'SHA256' KeyExportPolicy = 'Exportable' NotAfter = (Get-Date).AddYears(5) CertStoreLocation = 'Cert:\LocalMachine\My' KeyUsage = 'CertSign','CRLSign' #fixes invalid cert error } $rootCA = New-SelfSignedCertificate @params
Step 2 – Create the server cert signed by the new root
$params = @{ DnsName = "vpn.infiniteloop.io" Signer = $rootCA KeyLength = 2048 KeyAlgorithm = 'RSA' HashAlgorithm = 'SHA256' KeyExportPolicy = 'Exportable' NotAfter = (Get-date).AddYears(2) CertStoreLocation = 'Cert:\LocalMachine\My' } $vpnCert = New-SelfSignedCertificate @params
Step 3 – Add self-signed root to trusted root certificate store of current windows client
# Extra step needed since self-signed cannot be directly shipped to trusted root CA store # if you want to silence the cert warnings on other systems you'll need to import the rootCA.crt on them too Export-Certificate -Cert $rootCA -FilePath "C:\certs\rootCA.crt" Import-Certificate -CertStoreLocation 'Cert:\LocalMachine\Root' -FilePath "C:\certs\rootCA.crt"
Step 4 – Export server certificate as .pfx
Export-PfxCertificate -Cert $vpnCert -FilePath 'C:\certs\vpn.pfx' -Password (ConvertTo-SecureString -AsPlainText 'securepw' -Force)
Step 5 – Extract server private key from .pfx to convert .crt to .pem
# enter bash session from cmd as admin and cd to directory containing vpn.pfx cd /mnt/c/certs # convert root ca certificate to pem format openssl x509 -inform DER -in rootCA.crt -out rootCA.pem # export server private key to pem format openssl pkcs12 -in vpn.pfx -nocerts -nodes -out vpnkey.pem # convert server certificate to pem format openssl x509 -inform DER -in vpn.crt -out vpn.pem
Step 6 – Browse to your OpenVPN admin page and login
- Configuration > Web Server
- CA Bundle > Choose File > rootCA.pem
- Certificate > Choose File > vpn.pem
- Private Key > Choose File > vpnkey.pem
- Select Validate
- Click Save
- Select Update Running Server
- Connection will drop
Step 7 – Re-open IE or Chrome and browse to main OpenVPN web page
- No more cert warnings