This partnership aims to provide our customers with a robust, scalable, and easy-to-manage Public Key Infrastructure (PKI) solution for VPN. By integrating SecureW2’s proven passwordless platform with Access Server, our customers will unlock enterprise-grade, certificate-based authentication for their organization with minimal friction. And for those already using SecureW2, this makes integrating a proven zero-trust VPN software solution to their network security painless.
Explore this content with AI:
ChatGPT | Perplexity | Claude | Google AI Mode | Grok
Why This Matters
By default, Access Server manages certificates internally. When configured for external PKI usage, Access Server doesn't manage client certificates directly; instead, the customer's third-party PKI software generates and distributes client certificate/key pairs to client machines and a server certificate/key pair to the OpenVPN server.
In other words, with SecureW2 integration, customers can leverage an external PKI endpoint, offloading certificate generation, distribution, and lifecycle management to SecureW2’s powerful platform.
This shift yields several key benefits:
- Scalable, Automated Certificate Management
Instead of manually managing certs in small numbers, you get a fully managed PKI that automates issuance, revocation, renewal, and distribution by integrating closely with your identity & device management platforms.
- Better Security Posture
PKI-based authentication eliminates repeated reliance on passwords, reducing attack surface from stolen or reused credentials.
- Enhanced Zero Trust & Compliance Posture
With SecureW2’s Dynamic PKI, trust is not static: certificates are backed by real-time signals (device posture, identity, risk context). If a device becomes non-compliant or is flagged by endpoint security tools (e.g. EDR), SecureW2 can revoke/suspend your certificates based on customized policies.
- Separation of Concerns
OpenVPN focuses on secure tunneling; SecureW2 handles certificate and identity management.
Give Access Server a try
Try our self-hosted commercial product for free, no credit card required.
Read More
Take a Look Under the Hood: What the Integration Looks Like
Thanks to SecureW2, setting up external PKI for Access Server becomes a systematic, reliable process. At a high level, the workflow is:
- Modify as.conf to set Access Server in external PKI mode.
- Create the server and intermediate using SecureW2.
- Create certificate templates for the server and clients via SecureW2.
- Generate the server certificate and key via SecureW2.
- Generate the client certificate and key via SecureW2.
- Create the TLS_auth key.
- Generate Diffie-Hellman parameters.
- Import the necessary certificate and key files to Access Server.
- Provide certificate/key pairs in a P12/PFX file to the VPN client.
- Generate and download a server-locked profile for the client
To read more detailed instructions, visit our SecureW2 tutorial page. You can also visit the integration page on the SecureW2 side.
What This Means for Customers
- Simplified Deployment & Management
Organizations, especially large enterprises, no longer need to manually track certificate issuance or manage certificate databases. SecureW2 handles it all.
- Improved Security and Compliance
With certificate-based authentication, each user or device gets a unique, non-exportable digital identity. This strongly reduces risk from credential theft or phishing, preventing untrusted devices from accessing systems. SecureW2’s managed PKI and Cloud RADIUS further strengthen network security.
- Flexibility & Scalability
As your organization grows, SecureW2 scales with you — issue thousands of certificates, revoke them, re-enroll, and manage templates with ease.
- Better Experience for End Users
Clients (mobile, desktop, servers) simply import their certificate and profile once. After that, connecting to the VPN can be seamless and automatic (especially with auto-login profiles), improving usability and reducing friction.
- Separation of Duties for Admins
Network admins configuring the VPN can focus on routing, access control, and policies — while SecureW2 takes care of PKI. This separation reduces complexity and potential for misconfiguration.
What to Expect Next
For current OpenVPN Access Server customers: you can begin planning a migration to external PKI mode using SecureW2, especially if your environment demands strong security, scalable certificate management, or centralized identity control.
For organizations setting up Access Server now: this partnership means you now have a turnkey, enterprise-ready certificate-based authentication option, bringing best practices of security and identity management to your VPN from day one.
You can find the integration in the SecureW2 marketplace, or you can check out our full tutorial. We encourage you to try the integration and share your experience with our support team.
Explore how OpenVPN Access Server with SecureW2 Dynamic PKI enables certificate-based authentication that adapts to device posture, identity context, and policy, helping organizations modernize VPN access without adding operational complexity.
We encourage you to try the integration and share your experience with our support team.
Not signed up yet for Access Server? Get started for free.
.png)