Create a Public Key Infrastructure Using the easy-rsa Scripts

<< back to OpenVPN

The first step to setup a OpenVPN server is to create a PKI (Public Key Infrastructure) from scratch. It consists of


 * A public master Certificate Authority (CA) certificate and a private key
 * A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.

We could use easy-rsa scripts to do this. Install it by running

Creating certificates
To keep creating process separated, we could copy scripts to different place every time to do the job.

change directory

To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.
 * EASYRSA_DN "org"
 * EASYRSA_REQ_COUNTRY
 * EASYRSA_REQ_PROVINCE
 * EASYRSA_REQ_CITY
 * EASYRSA_REQ_ORG
 * EASYRSA_REQ_EMAIL

Delete any previously created certificates.

The build-ca script generates the Certificate Authority (CA) certificate.

The gen-req script  generates a server certificate request and key. Make sure that the server name (Common Name when running the script) is unique. Option nopass means no need to import password.

The option sign-req sign the certificate .crt file needed by the server.

The option gen-dh generates the Diffie-Hellman parameters .pem file needed by the server.

The build-client-full script  generates a client certificate and key. Make sure that the client name (Common Name when running the script) is unique. Option nopass means no need to input password.

Generate a secret Hash-based Message Authentication Code (HMAC) by running

And now, you can go on to setup the server configuration.