The best way to generate "tls-crypt" key (ta.key or OpenVPN.key, etc.) for OpenVPN via EJBCA

[sharbich]

Hello everyone,
how do I create a key for “tls-crypt” encryption using EJBCA for OpenVPN? In addition to authenticating, the defined static key is also used to encrypt all packets of the control channel. This provides additional security and improves privacy.
Greetings from Stefan Harbich

[primetomas]

Is this a specific certificate? Do you have a link to the certificate specification?

[sharbich]

tls-auth
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

• DoS attacks or port flooding on the OpenVPN UDP port.
• Port scanning to determine which server UDP ports are in a listening state.
• Buffer overflow vulnerabilities in the SSL/TLS implementation.
• SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn --genkey --secret ta.key

[primetomas]

This doesn't sounds like it has anything todo with PKI. I.e. there is no certificate involved here but a static key generated by the command you refer to. Generating this static shared secret (symmetric) key is nothing that EJBCA can, or should, do.

[sharbich]

Does that mean EJBCA can't create static keys?

[primetomas]

"static keys" is kind of a generic word. EJBCA is a PKI, not a symmetric key management system, if that is what you are asking about.
For your specific question if you can use EJBCA instead of "openvpn --genkey --secret ta.key" the answer is no.
PKI is about asymmetric keys, these can of course be "static" as well, but it's not what OpenVPN is referring to above, that is a shared symmetric key, configured specifically in the OpenVPN end-points, not using any certiifcates or PKI for.