Ocserv self-signed Certs

Deploy your own CA
ENV: Debian 10 Buster 64bit
Dependencies: GnuTLS

Install GnuTLS and Generate key

apt install gnutls-bin
mkdir /etc/ocserv/ssl/
cd /etc/ocserv/ssl/
certtool --generate-privkey --outfile ca-privkey.pem

Make a CA Template

nano ca-cert.cfg

// Template start here
# X.509 Certificate options

# The organization of the subject.

organization = "Example Org"

# The common name of the certificate owner.

cn = "Example CA"

# The serial number of the certificate.

serial = 001

# In how many days, counting from today, this certificate will expire. Use -1 if there is no expiration date.

expiration_days = -1

# Whether this is a CA certificate or not


# Whether this certificate will be used to sign data


# Whether this key will be used to sign other certificates.


# Whether this key will be used to sign CRLs.


// Template End here

Let’s generate a CA with Template that we made before

certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem

Let’s generate PKCS12

certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile client.p12 --outder

Edit Ocserv configuration

nano /etc/ocserv/ocserv.conf

// Remove #comment
auth = "certificate"
// If you want auth user with plain password by comment out this line
enable-auth = "plain[passwd=/etc/ocserv/ocpasswd]"

// Replace
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem 
ca-cert = /etc/ocserv/ssl/ca-cert.pem

// Exit and restart service
systemctl restart ocserv

1. https://beyondkmp.com/post/centos7-ocser-config/
2. https://holmesian.org/linode-vps-centos-anyconnect
3. https://ywnz.com/linuxyffq/4562.html
4. https://nova.moe/deploy-openconnect-ocserv-with-letsencrypt/
5. https://www.linuxbabe.com/debian/openconnect-vpn-server-ocserv-debian-10-buster
Photo by Jon Tyson on Unsplash