You have questions, we have answers.

Click on the corresponding question to get the answer.
Introduction

TLS VPN is not a VPN. TLS VPN helps you secure your VPNs, your local websites and emails. We allow everyone to access high-standard security, from single person to big entities, because security is crucial for everyone.

TLS is a cryptographic algorithm. Using best-known cryptographic solutions, it ensures security over the internet, so noone can decrypt or alter data exchange between one or many persons. This security is a must-have today.

TLS is the predecessor of SSL and protects websites, VPN and even emails over the internet. Nowadays, all communications over Internet should be encrypted to ensure integrity, security and authentification. TLS VPN provides certificates, which are documents used by applications to validate TLS and therefore providing security.

All public files are available here.

We offer three types of certiticates :
VPN certificates
Certificates for VPN clients and for access to websites.
Email certificates
Certificates for email signing and email protection.
Server certificates
Certificates to ensure https and security on local websites.We do not provide certificates for public-faced websites.

  1. Creation
    Certificates can be created on this website and using API.
  2. Life
    Certificates are subject to regular checks. They can be revoked if there is an issue during their lifetime.
  3. Renew
    Certificates can be renewed as long as necessary. This also a turnover of keys and therefore more security.
Certificate creation

You can create a certificate using this steps :
  1. Connect or sign in.
  2. Go on « Create certificates » and upload your CSR or fill required information.
  3. Click on create and wait for files. You can download cert and csr during all the lifetime of the certificates in the list section.

A CSR is a file containing all information to create a certificate for you, including your fingerprint (signature), derived from your private key. This way, we can sign the certificate and know you have the private key, without needing to have it. And we will sign the certificate with our private keys, and everyone can check it using our public key. Using a CSR is the most secure as your private key is not transmitted and we don't need it anyways.
Using CSR to create certificate is recommended and the most secure. Our dashboard describes commands to create it if you click on « Create it for me ».

We don't have your private key and have no way to recover it. If you cannot find your private key, we suggest you create another certificate with another private key. There is no need to revoke the previous one as long as the private key was not compromised.

You need to revoke the certificate as soon as possible connecting to the dashboard and clicking on the bin for the corresponding certificate. We will therefore mark the certificate as revoked and avoid its use.
It is quite difficult to avoid the use of a certificate once delivered. Therefore you should take proper measures to avoid such leaks.
Certificate renewal

Our certificates has a lifetime of 1 day minimum up to 365 days (1 year). A short-term certificate is more secure but harder to maintain while a long-term certificate is more user-friendly but a little more risky (higher risk of key compromise). We recommand 180 days. You can choose the expiry you want, to match your needs. All certificates can be renewed if needed (you can disable the option in your dashboard).

You can use our Python script available in the dashboard to renew your certificate (unless forbidden in the dashboard). You can execute it automatically or manually. It needs the private key and the certificate to do the renew. You can therefore give this script to end-users.
Configuration

To use your certificate in your Nginx/Apache webserver, use the following config:
  • Apache
    
        SSLEngine on
    
        # generated 2023-01-11, Mozilla Guideline v5.6, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
    
        # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.6
    
        # this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
    
    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
    
    SSLCertificateKeyFile   /path/to/private_key
    
    Protocols h2 http/1.1
    
    Header always set Strict-Transport-Security 'max-age=63072000'
    
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    
SSLHonorCipherOrder     off
    
SSLSessionTickets       off
    
SSLUseStapling On
    
SSLStaplingCache 'shmcb:logs/ssl_stapling(32768)'
  • Nginx
    
        server {
    
          listen 443 ssl http2;
    
          listen [::]:443 ssl http2;
    
      
          ssl_certificate /path/to/signed_cert_plus_intermediates;
    
          ssl_certificate_key /path/to/private_key;
    
          ssl_session_timeout 1d;
    
          ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions 
    
          ssl_session_tickets off;
    
          # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
          ssl_dhparam /path/to/dhparam;
    
          # intermediate configuration
    
          ssl_protocols TLSv1.2 TLSv1.3;
    
          ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    
          ssl_prefer_server_ciphers off;
      
          # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    
          add_header Strict-Transport-Security 'max-age=63072000' always;
          
          # OCSP stapling
    
          ssl_stapling on;
    
          ssl_stapling_verify on;
      
          # verify chain of trust of OCSP response using Root CA and Intermediate certs
    
          ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
    
          # replace with the IP address of your resolver
    
          resolver 8.8.8.8;
    
      }
You can use Mozilia config files for other servers.

Server certificate

      ca fullchain.crt #The full chain of certificate 

      cert cert-server.pem #Your certificate 

      tls-verify /etc/openvpn/script.sh #Execute a script (see below)

Script.sh

      #!/bin/bash

      if [[ $1 -ne 0 ]];

      then

              exit 0;

      fi

      if [[ $X509_0_O != "SSL VPN" ]]; #Change it to the name of your organization!

      then

              exit 1;

      fi

      issuer="issuer.crt" #Intermediate certificate 

      CA="ca.cert" #Root certificate 

      serial=$tls_serial_0 

      #cert=$($peer_cert) 

      url="http://vpntls.eu/ocsp" 

      if [[ -z $serial ]]; 

      then 

              exit 1; 

      fi 

      status=$(openssl ocsp -issuer $issuer \ 

                         -url $url \ 

                          -no_nonce \ 

                          -CAfile $CA \ 

                          -serial "$serial" 2>&1) 

          if [ $? -eq 0 ]; then 

            # check if ocsp didn't report any errors 

            if echo "$status" | grep -Eq "(error|fail)"; then 

                exit 1 

            fi 

            # check that the reported status of certificate is ok 

            if echo "$status" | grep -Eq "^$serial: good"; then 

              # check if signature on the OCSP response verified correctly 

              if echo "$status" | grep -Eq "^Response verify OK"; then 

                  exit 0
Your privacy is our top priority.

This website uses cookies or similar technologies, to provide its service, enhance your browsing experience and provide personalized recommendations. By continuing to use our website, you agree to our Privacy Policy.