Generating OpenVPN certificates

Hello everyone,

I was wondering if I could generate client VPN certificates using Vault for my OpenVPN-based VPN server.

Since I’m new to Vault, could you please tell me if this is possible and how?

Our OpenVPN server already has a generated a certificate, however it is not stored in Vault.
We would like to create client VPN certificates using Vault pki.
Also it would be nice if I don’t have to start from scratch and can use the current certificate.

If that’s possible, could someone please take a moment to walk me through the process?

Thank you in advance.

Yes, you can generate client VPN certificates for your OpenVPN server using Vault’s PKI secret engine. Here’s a quick rundown:

1.	Enable the PKI secret engine in Vault.
2.	Set up Vault as an Intermediate CA by importing your existing CA certificate and signing Vault’s intermediate CA CSR with your existing CA.
3.	Configure a role in Vault for OpenVPN client certificates with specific parameters like TTL, allowed domains, etc.
4.	Generate client certificates using the configured role for each of your OpenVPN clients.
5.	Integrate the generated certificates and keys into your OpenVPN configuration.

This setup allows you to use your existing CA certificate while leveraging Vault to manage and issue client certificates for OpenVPN.