Generate PKCS#12 certificate from an OpenVPN configuration / 從OpenVPN設定檔製作PKCS#12格式的憑證

This article includes English and Chinese.

本文包含英文及中文

In general, when we use a PC / laptop as OpenVPN client, we just import the *.ovpn file created by OpenVPN server. However, some devices which supports OpenVPN client may not support importing the *.ovpn file, such as MOXA EDR-810 or OnCell devices.

一般來說，我們用電腦來做OpenVPN客戶端的時候，只需要匯入伺服器建立的*.ovpn設定檔；但有些支援OpenVPN客戶端的設備並不支援匯入設定檔的方式，例如MOXA的EDR-810或OnCell產品

This is a guide to generate a PKCS#12 format certificate (*.p12 file) from a *.ovpn file.

本篇文章將教學要如何從一個*.ovpn的OpenVPN設定檔產生一個PKCS#12格式的憑證檔案

First, we're going to export materials from *.ovpn file.
首先，我們要從*.ovpn這個設定檔匯出需要的檔案

1-1. A *.ovpn file has below parts:

(1) ca: YELLOW part, from <ca> to </ca>

(2) cert: GREEN part, from <cert> to </cert>

(3) key: RED part, from <key> to </key>

1-1. 一個*.ovpn設定檔包含以下部分
(1) ca: 下圖黃色部分，<ca>和</ca>中間的部分
(2) cert: 下圖綠色部分，<cert>和</cert>中間的部分
(3) key: 下圖紅色部分，<key>和</key>中間的部分

1-2. Copy texts between <ca> and </ca> but not include <ca> and </ca>, paste in a new text file. The result as below:
1-2. 複製<ca>和</ca>中間的部分但不要包含<ca>和</ca>，開啟記事本並貼上，結果請參考下圖：

1-3. Save as a new file, you can save with ".crt" or modify the extension after saving the file.
1-3. 另存新檔，可以在存檔的同時使用".crt"這個副檔名或是存檔後再更改副檔名

1-4. Follow the same steps to generate below files:
(1) ca.crt
(2) cert.crt
(3) key.key
1-4. 根據同樣步驟產生以下檔案
(1) ca.crt
(2) cert.crt
(3) key.key

After we exported the certificates and the key, we need to use OpenSSL tool to convert the certificate.
匯出基本的憑證和金鑰之後，我們要透過OpenSSL工具來轉換憑證格式

You can down the OpenSSL for windows version here 
Remember to download the developer version (without "Light" version)
After downloading the file, install it.
Windows版本可以使用的OpenSSL工具可以從這裡下載
請下載開發者版本（版本名稱沒有"Light"）
下載之後接著就是安裝

2-1. Of course you need to accept the agreement in order to install it.
2-1. 要同意使用者條款才能安裝

2-2. Just use the default settings.
When installation is complete, you can donate or uncheck every box then finish the installation
2-2. 安裝過程中使用預設設定直接下一步到最後
安裝完成時，你可以選擇要贊助或是把取消贊助選項並完成安裝

After the installation is complete, we need to use command line.
There are 2 different methods to start a PowerShell in specific folder:
安裝完成後，我們要用文字命令列來使用這個工具
本文使用PowerShell，以下介紹兩種開啟PowerShell同時移動到特定資料夾的方法

3-1. Open the file manager and navigate to the folder, input "powershell" in the path / address (yellow part), then press "enter"
3-1. 開啟檔案總管，移動到資料夾，在網址列/資料夾路徑的欄位輸入powershell並按enter鍵

3-2. Open the file manager and navigate to the folder, click "file" > "Open Windows PowerShell" > "Open Windows PowerShell"
3-2. 打開檔案總管，移動到資料夾，按左上角的"檔案" > "開啟Windows PowerShell" > "開啟Windows PowerShell"

After open the PowerShell window, use the command:
開啟PowerShell後，使用以下指令：

& "<install path>\bin\openssl.exe" pkcs12 -export -out <p12 filename>.p12 -inkey <key filename>.key -in <cert filename>.crt -certfile <ca filename>.crt
& "<安裝路徑>\bin\openssl.exe" pkcs12 -export -out <要匯出的p12檔案名稱>.p12 -inkey <金鑰檔名>.key -in <cert檔名>.crt -certfile <ca檔名>.crt

* & "<path>" is used when there is a space character, for example, "C:\Program files" will be recognized as "C:\Program" in command line by default.
* 使用& "<path>"是因為PowerShell預設是無法辨識檔案路徑中的空格，"C:\Program files"會被當成"C:\Program"來執行

Enter the password, and enter again for verifying.

This password is required when you import the certificate.

指令執行後，會提示要輸入密碼並再次輸入密碼已確認

這個密碼是用來匯入憑證使用的

You will see the *.p12 file in the same folder.
完成後，會在同一個資料夾看到*.p12的憑證檔案