Create a Public Key Infrastructure Using the easy-rsa Scripts

From Gentoo Wiki
Jump to: navigation, search

<< back to OpenVPN

The first step to setup a OpenVPN server is to create a PKI (Public Key Infrastructure) from scratch. It consists of

  • A public master Certificate Authority (CA) certificate and a private key
  • A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.

We could use easy-rsa scripts to do this. Install it by running

root #emerge --ask app-crypt/easy-rsa


Creating certificates

To keep creating process separated, we could copy scripts to different place every time to do the job.

root #cp -a /usr/share/easy-rsa /root/easy-rsa-example

change directory

root #cd /root/easy-rsa-example
root #mv vars.example vars

To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa-example/vars and at a minimum set the

  • EASYRSA_DN "org"
  • EASYRSA_REQ_COUNTRY
  • EASYRSA_REQ_PROVINCE
  • EASYRSA_REQ_CITY
  • EASYRSA_REQ_ORG
  • EASYRSA_REQ_EMAIL

parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.

FILE /root/easy-rsa-example/vars
# Choices are:
#   cn_only  - use just a CN value
#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format

set_var EASYRSA_DN      "org"

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "CA"
set_var EASYRSA_REQ_CITY        "SanFrancisco"
set_var EASYRSA_REQ_ORG         "Fort-Funston"
set_var EASYRSA_REQ_EMAIL       "mail@host.domain"

Delete any previously created certificates.

Warning
This will delete any previously generated certificates stored in /root/easy-rsa-example/pki, including the Certificate Authority (CA) certificate.
root # ./easyrsa init-pki

The option build-ca generates the Certificate Authority (CA) certificate.

root ## ./easyrsa build-ca
Generating a 2048 bit RSA private key
.............................+++
................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

The option gen-req # ./easyrsa gen-req <server name> nopass generates a server certificate request and key. Make sure that the server name (Common Name when running the script) is unique. Option nopass means no need to import password.

root #./easyrsa gen-req example nopass
Generating a 2048 bit RSA private key
.........+++
............................................+++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [example]:
Name [changeme]:
Email Address [mail@host.domain]:

Keypair and certificate request completed. Your files are:
req: /root/easy-rsa-example/pki/reqs/example.req
key: /root/easy-rsa-example/pki/private/example.key

The option sign-req # ./easyrsa sign-req server <server name> sign the certificate .crt file needed by the server.

root # ./easyrsa sign-req server example
Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    countryName               = US
    stateOrProvinceName       = CA
    localityName              = SanFrancisco
    organizationName          = Fort-Funston
    organizationalUnitName    = changeme
    commonName                = example
    emailAddress              = mail@host.domain

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /root/easy-rsa-example/openssl-1.0.cnf
Enter pass phrase for /root/easy-rsa-example/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'CA'
localityName          :ASN.1 12:'SanFrancisco'
organizationName      :ASN.1 12:'Fort-Funston'
organizationalUnitName:ASN.1 12:'changeme'
commonName            :ASN.1 12:'example'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Feb  5 02:32:49 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /root/easy-rsa-example/pki/issued/example.crt

The option gen-dh generates the Diffie-Hellman parameters .pem file needed by the server.

Note
It would be better to generate a new one for each server, but you can use the same one if you want to.
root # ./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................+...........+......................
................+
...........
...........+.......................++*++*

The option build-client-full # ./easyrsa build-client-full <client name> nopass generates a client certificate and key. Make sure that the client name (Common Name when running the script) is unique. Option nopass means no need to input password.

Note
Do not enter a challenge password or company name when the script prompts you for one.
Important
Every time to create a new client's key, you would just to do this step.
root #./easyrsa build-client-full client1 nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.................................................................+++
..+++
writing new private key to '/root/easy-rsa-example/pki/private/client1.key.GIukBzmSVv'
-----
Using configuration from /root/easy-rsa-example/openssl-1.0.cnf
Enter pass phrase for /root/easy-rsa-example/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Jan 16 12:56:33 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Generate a secret Hash-based Message Authentication Code (HMAC) by running

root #openvpn --genkey --secret /root/easy-rsa-example/pki/ta.key
Important
You would like to keep the /root/easy-rsa-example folder for further usage.

And now, you can go on to setup the server configuration.

Note
The option build-server-full # ./easyrsa build-server-full <server name> nopass generates a server certificate and key(do the same thing as genreq and sign-req). Make sure that the Server name (Common Name when running the script) is unique. Option nopass means no need to input password. The command usage just like build-client-full.