Create a Public Key Infrastructure Using the easy-rsa Scripts
From Gentoo Wiki
The first step to setup a OpenVPN server is to create a PKI (Public Key Infrastructure) from scratch. It consists of
- A public master Certificate Authority (CA) certificate and a private key
- A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.
We can use 'easy-rsa' scripts to do this. Install them by running
root #emerge --ask app-crypt/easy-rsa Important
To create only a new client key, jump to this step.
To create only a new client key, jump to this step.
Creating certificates
To keep creating process separate, we should copy scripts to a different place every time to do their job.
root #cp -a /usr/share/easy-rsa /root/easy-rsa-examplechange directory:
root #cd /root/easy-rsa-exampleroot #mv vars.example varsTo ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa-example/vars and at a minimum set the
- EASYRSA_DN "org"
- EASYRSA_REQ_COUNTRY
- EASYRSA_REQ_PROVINCE
- EASYRSA_REQ_CITY
- EASYRSA_REQ_ORG
- EASYRSA_REQ_EMAIL
parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.
FILE
/root/easy-rsa-example/vars# Choices are:
# cn_only - use just a CN value
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
set_var EASYRSA_DN "org"
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "CA"
set_var EASYRSA_REQ_CITY "SanFrancisco"
set_var EASYRSA_REQ_ORG "Fort-Funston"
set_var EASYRSA_REQ_EMAIL "mail@host.domain"
Delete any previously created certificates.
Warning
This will delete any previously generated certificates stored in /root/easy-rsa-example/pki, including the Certificate Authority (CA) certificate.
This will delete any previously generated certificates stored in /root/easy-rsa-example/pki, including the Certificate Authority (CA) certificate.
root # ./easyrsa init-pkiCreate CA certificate
The option build-ca generates the Certificate Authority (CA) certificate.
root #./easyrsa build-caGenerating a 2048 bit RSA private key .............................+++ ................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [changeme]: Name [changeme]: Email Address [mail@host.domain]:
Generate Server Certificate Request and Key
The option gen-req <server name> nopass generates a server certificate request and key.
Make sure that the server name (Common Name when running the script) is unique.
Option nopass means no need to import password.
root #./easyrsa gen-req example nopassGenerating a 2048 bit RSA private key .........+++ ............................................+++ writing new private key to 'example.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [example]: Name [changeme]: Email Address [mail@host.domain]: Keypair and certificate request completed. Your files are: req: /root/easy-rsa-example/pki/reqs/example.req key: /root/easy-rsa-example/pki/private/example.key
Sign Server Certificate Request
The option sign-req server <server name> signs the certificate .crt file needed by the server.
root # ./easyrsa sign-req server exampleNote: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
countryName = US
stateOrProvinceName = CA
localityName = SanFrancisco
organizationName = Fort-Funston
organizationalUnitName = changeme
commonName = example
emailAddress = mail@host.domain
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /root/easy-rsa-example/openssl-1.0.cnf
Enter pass phrase for /root/easy-rsa-example/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'CA'
localityName :ASN.1 12:'SanFrancisco'
organizationName :ASN.1 12:'Fort-Funston'
organizationalUnitName:ASN.1 12:'changeme'
commonName :ASN.1 12:'example'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Feb 5 02:32:49 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /root/easy-rsa-example/pki/issued/example.crt
Generate Diffie-Hellman (DH) parameters
The option gen-dh generates the Diffie-Hellman parameters .pem file needed by the server.
Note
It would be better to generate a new one for each server, but you can use the same one if you want to.
It would be better to generate a new one for each server, but you can use the same one if you want to.
root # ./easyrsa gen-dhGenerating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...........................+...........+...................... ................+ ........... ...........+.......................++*++*
Generate client certificate and key
The option build-client-full <client name> nopass generates a client certificate and key.
Make sure that the client name (Common Name when running the script) is unique. Option nopass means there is no need to input a password.
Note
Do not enter a challenge password or company name when the script prompts you for one.
Do not enter a challenge password or company name when the script prompts you for one.
Important
Every time you create a new client's key, you would only do this step!
Every time you create a new client's key, you would only do this step!
root #./easyrsa build-client-full client1 nopassNote: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .................................................................+++ ..+++ writing new private key to '/root/easy-rsa-example/pki/private/client1.key.GIukBzmSVv' ----- Using configuration from /root/easy-rsa-example/openssl-1.0.cnf Enter pass phrase for /root/easy-rsa-example/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client1' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Jan 16 12:56:33 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Generate secret Hash-based Message Authentication Code (HMAC)
Generate a secret Hash-based Message Authentication Code (HMAC) by running
root #openvpn --genkey secret /root/easy-rsa-example/pki/ta.key Important
You would like to keep the
You would like to keep the
/root/easy-rsa-example folder for further usage.And now, you can go back to setup the server configuration.
Note
The option build-server-full
The option build-server-full
# ./easyrsa build-server-full <server name> nopass generates a server certificate and key(do the same thing as genreq and sign-req). Make sure that the Server name (Common Name when running the script) is unique. Option nopass means no need to input password. The command usage just like build-client-full.