The following are command examples that may be used to create secrets for the VPN connection.

It is assumed that these commands are typed on the VPN server side (not on the gateway)

First, create a root certification authority. It will be used to sign the VPN server and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).

# Work in /etc/ipsec.d
cd /etc/ipsec.d
 
# Create a 4096 bit private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
chmod 600 private/rootca.pem
 
# Create a 10 year certificate
ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem

Then, create a certificate and private key that will be used by the VPN server:

# Create a 2048 bit VPN private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
chmod 600 private/vpnkey.pem
 
# Create a 2 year VPN certificate
ipsec pki --pub --in private/vpnkey.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem

Still on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.

# Create a 2048 bit client private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/ifemto_XXXXXX.pem
chmod 600 private/ifemto_XXXXXX.pem
 
# Create a 2 year client certificate
ipsec pki --pub --in private/ifemto_XXXXXX.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem

It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the pkcs12 <file> directive of the server configuration file.

The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:

# openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12

Enter Export Password:
Verifying - Enter Export Password:

The password will have to be entered in the client configuration file (client-openvpn.conf) using the askpass directive.

OpenSSL or EasyRSA can be used to create the PKI and generate the OpenVPN keys and certificates.
Note that it is more convenient and simplier to use EasyRSA then OpenSSL.

OpenSSL is already included in your Ubuntu distribution. You can check the version used by issuing the command:

# openssl version

Openvpn must be installed:

# sudo apt install openvpn 

Choose a directory (/root/ca) to store all keys and certificates.

# mkdir /root/ca
# cd /root/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial

You must create a configuration file for OpenSSL:

vi /root/ca/openssl.cnf

[ ca ]
# `man ca`
default_ca = CA_default
 
[ CA_default ]
# Directory and file locations.
dir               = /root/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand
 
# The root key and root certificate.
private_key       = $dir/private/ca.key
certificate       = $dir/certs/ca.crt
 
# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256
 
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict
 
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
 
[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
 
# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256
 
# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca
 
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg: your user, host, or server name)
emailAddress                    = Email Address
 
# Optionally, specify some defaults.
countryName_default             = FR
stateOrProvinceName_default     = Bretagne
localityName_default            = Thorigne-Fouillard
0.organizationName_default      = Kerlink
organizationalUnitName_default  = DSC
emailAddress_default            = tda@kerlink.fr
 
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
 
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
 
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

# cd /root/ca
# openssl genrsa -aes256 -out private/ca.key 4096

Enter pass phrase for ca.key: secretpassword
Verifying - Enter pass phrase for ca.key: secretpassword
 
# chmod 400 private/ca.key

# cd /root/ca
# openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.crt

Enter pass phrase for ca.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name []: Bretagne
Locality Name []: Thorigne-Fouillard
Organization Name []: Kerlink
Organizational Unit Name []: DSC
Common Name []: Kerlink CA
Email Address []: tda@kerlink.fr
 
# chmod 444 certs/ca.crt

# openssl x509 -noout -text -in certs/ca.crt
# openssl verify -CAfile certs/ca.crt certs/ca.crt

# cd /root/ca/private
# openssl genrsa -aes256 -out server.key 2048
# chmod 400 server.key

# cd /root/ca/csr
# openssl req -config ../openssl.cnf -key ../private/server.key -new -sha256 -out server.csr

Enter pass phrase for server.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name []:Bretagne
Locality Name []:Thorigne-Fouillard
Organization Name []:Kerlink
Organizational Unit Name []:DSC
Common Name []:server
Email Address []:tda@kerlink.fr

# cd /root/ca/certs
# openssl ca -config ../openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in server.csr -out server.crt
# chmod 444 server.crt

# cd /root/CA/certs/
# openssl verify -CAfile ca.crt server.crt

# cd /root/ca/private
# openssl genrsa -aes256 -out client.key 2048
# chmod 400 client.key

# cd /root/ca/cert
# openssl req -config ../openssl.cnf -key ../private/client.key -new -sha256 -out client.csr

Enter pass phrase for client.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name []:Bretagne
Locality Name []:Thorigne-Fouillard
Organization Name []:Kerlink
Organizational Unit Name []:DSC
Common Name []:client
Email Address []:tda@kerlink.fr

# cd /root/ca/certs
# openssl ca -config ../openssl.cnf \
      -extensions usr_cert -days 375 -notext -md sha256 \
      -in client.csr \
      -out client.crt
# chmod 444 client.crt

# cd /root/ca/certs/
# openssl verify -CAfile ca.crt client.crt

# cd /root/ca
# openssl dhparam -out dh2048.pem 2048

# sudo apt install openvpn easy-rsa

# cp -a /usr/share/easy-rsa /root/easy-rsa

# mv vars.example vars

Edit the file and modify the following parameters :

# Choices are:
#   cn_only  - use just a CN value
#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
 
set_var EASYRSA_DN      "org"
 
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
 
set_var EASYRSA_REQ_COUNTRY     "FR"
set_var EASYRSA_REQ_PROVINCE    "Bretagne"
set_var EASYRSA_REQ_CITY        "Thorigne-Fouillard"
set_var EASYRSA_REQ_ORG         "Kerlink"
set_var EASYRSA_REQ_EMAIL       "tda@kerlink.fr"
set_var EASYSA_REQ_OU           "DSC"

# ./easyrsa init-pki

# ./easyrsa build-ca

Generating a 2048 bit RSA private key
.............................+++
................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Bretagne]:
Locality Name (eg, city) [Thorigne-Fouillard]:
Organization Name (eg, company) [kerlink]:
Organizational Unit Name (eg, section) [DSC]: 
Common Name (eg, your name or your server's hostname) []: CA
Name []: Kerlink CA
Email Address [tda@kerlink.fr]:

Use default values and just define the CN and name.

# ./easyrsa gen-req server nopass

Generating a 2048 bit RSA private key
.........+++
............................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Bretagne]:
Locality Name (eg, city) [Thorigne-Fouillard]:
Organization Name (eg, company) [kerlink]:
Organizational Unit Name (eg, section) [DSC]:
Common Name (eg, your name or your server's hostname) []:server
Name []: server
Email Address [tda@kerlink.fr]:
 
Keypair and certificate request completed. Your files are:
req: /root/easy-rsa/pki/reqs/server.req
key: /root/easy-rsa/pki/private/server.key

# ./easyrsa sign-req server server

The option build-client-full <client name> nopass generates a client certificate and key.

# ./easyrsa build-client-full client1 nopass

# ./easyrsa gen-dh

It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key.
This will be referenced in the pkcs12 <file> directive in the server and client's configuration file.

The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:

For the server:

# openssl pkcs12 -export -inkey private/server.key -in certs/server.crt  -certfile certs/ca.crt -out server.p12

Enter Export Password:
Verifying - Enter Export Password:

The password will have to be entered in the server configuration file (server-openvpn.conf) using the askpass directive.

For the client:

# openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12

Enter Export Password:
Verifying - Enter Export Password:

The password will have to be entered in the client configuration file (client-openvpn.conf) using the askpass directive.

Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/.

https://jamielinux.com/docs/openssl-certificate-authority/introduction.html explains how to create a PKI with OpenSSL.
EasyRSA EasyRSA GITHub.
https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/ explains how to use EasyRSA to create a PKI (applicable to Ubuntu 14.04).
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04-fr explains how to use EasyRSA to create a PKI (applicable to Ubuntu 20.04)(french).
https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts explains how to create a PKI using Easy-RSA (applicable to Ubuntu 20.04)(english).
https://stackoverflow.com/questions/21141215/creating-a-p12-file explains how to create a PKCS#12 (P12) archive.