The file ca.key can only be found in the encrypted archive for secrets. Certificates are created as below and the directory conf is stored in the encrypted archive for secrets: ./create_conf.sh Two docker-compose files are provided: one in host mode and one for regular docker network. References: https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage https://forums.openvpn.net/viewtopic.php?t=7484 https://serverfault.com/questions/785108/why-does-openvpn-give-the-error-unsupported-certificate-purpose-for-an-interm https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line https://github.com/openssl/openssl/issues/6481