Chapter 3. PKIs and Certificates
Primarily, OpenVPN uses X.509 certificates for client authentication and VPN traffic encryption, though this support can be disabled. Looking at the mailing list and IRC channel history, setup and maintenance of the Private Key Infrastructure (PKI) for X.509 certificates is a difficult concept, and can be a cumbersome task.
The OpenSSL binary has all the tools required to manually manage a PKI, but the command options are complicated and, if not automated, can be prone to error. It is recommended that organizations or individuals use a script or other package to manage their PKI. Not only does this limit errors, but also rules and other general criteria can be better adhered to.
Two open source projects exist that are expressly written to work well with OpenVPN implementations. Easy-RSA is a long-standing project that has always been tied closely with the OpenVPN project. Originally written along-side OpenVPN, its initial purpose was to build a...