Overview of Setup Steps

1. Create a VPN server, if you don't already have one. Most VPN servers that support X.509 certificate authentication will work with Smallstep.

2. Configure a DNS server name for your VPN server.

3. Configure the VPN server to use a server TLS certificate. You can use a public Web PKI certificate, eg. from Let's Encrypt, or you can use a Smallstep Workoad certificate.

4. Gather the following configuration information from your VPN server:

   • Server name and IP address
   • Remote ID. This may be the same as the server name.
   • Root Certificate. By default, most VPN clients will not trust any server certificate, even if it comes from the Web PKI and would be trusted by a web browser. Smallstep will need the Root Certificate for your VPN server, which it will pass along to clients for the purpose of creating a trusted connection.

5. In Smallstep, under Mobile Devices, create a Device Collection.

6. Create a VPN Account in the Device Collection, using your VPN's Server Name (or IP address), Remote ID, and Root Certifcate (if it's a non-Smallstep server ceritificate, choose "Upload external root").

7. Once you've saved the Account, download the Root Certificate (in PEM format) from the VPN Account page. This is your Account CA. Your devices will be issued VPN account certificates from your Account CA.

8. Finally, configure your VPN server to authenticate clients using the Account CA certificate you just downloaded from Smallstep.

What about the Accounts Intermediate CA?

Vendor-specific guides

• strongSwan
• F5 BIG IP VPN
• Azure Virtual Network Gateway
• Juniper SSL-VPN
• Cisco Meraki AnyConnect

Juniper SSL-VPN

Cisco Meraki AnyConnect

• Server docs at meraki.net
• Client docs at meraki.net