Create a Public Key Infrastructure Using the easy-rsa Scripts

<< back to OpenVPN

The first step to setup a OpenVPN server is to create a PKI (Public Key Infrastructure) from scratch. It consists of


 * A public master Certificate Authority (CA) certificate and a private key
 * A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.

We can use 'easy-rsa' scripts to do this. Install them by running

Creating certificates
To keep creating process separate, we should copy scripts to a different place every time to do their job.

change directory:

To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa-example/vars and at a minimum set the parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.
 * EASYRSA_DN "org"
 * EASYRSA_REQ_COUNTRY
 * EASYRSA_REQ_PROVINCE
 * EASYRSA_REQ_CITY
 * EASYRSA_REQ_ORG
 * EASYRSA_REQ_EMAIL

Delete any previously created certificates.

Create CA certificate
The option  generates the Certificate Authority (CA) certificate.

Generate Server Certificate Request and Key
The option  generates a server certificate request and key. Make sure that the server name (Common Name when running the script) is unique. Option nopass means no need to import password.

Sign Server Certificate Request
The option  signs the certificate .crt file needed by the server.

Generate Diffie-Hellman (DH) parameters
The option  generates the Diffie-Hellman parameters .pem file needed by the server.

Generate client certificate and key
The option  generates a client certificate and key. Make sure that the client name (Common Name when running the script) is unique. Option nopass means there is no need to input a password.

Generate secret Hash-based Message Authentication Code (HMAC)
Generate a secret Hash-based Message Authentication Code (HMAC) by running

And now, you can go on to setup the server configuration.