A certificate authority (CA) is who issues the digital certificates. We need this for installation of some software, such as OpenVPN. For doing that, we have to download the latest version of EasyRSA. EasyRSA is the CLI utility to build and manage a PKI CA. A CA acts as a trusted 3rd party. The format of these certificates is specified by the X.509 standard.
A certificate signed by a Certificate Authority (CA) which is trusted, like by the browser is displayed as trusted (that usually a padlock icon). A browser only trusts a CA when the CA’s public root certificate is installed in the browser and/or the computer in use. That makes the actual usage limited within own network. Browsers come with pre-installed CA certificates such as from Geotrust, Comodo, Symantec. The reason to use EasyRSA like scripted way is to make the steps easy. OpenSSL command line for setting up own CA infrastructure for a person unused with X.509 certificate chain of trust can make dizzy. We need to build the CA on a single server for this purpose. This prevents an attacker to access the CA private key to sign new certificates. We can keep the CA server turned off when not required to be in use.
This is EasyRSA’s official GitHub repo :
---
1 2 3 4 5 | # https://github.com/OpenVPN/easy-rsa # |
We can wget it and un-tar it :
1 2 3 4 5 6 7 8 9 10 11 | cd ~ # version 3.0.6 is latest at the time of writing this guide wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz ls | grep "tgz" tar -xzvf EasyRSA-unix-v3.0.6.tgz rm EasyRSA-unix-v3.0.6.tgz cd ~/EasyRSA-v3.0.6/ cp vars.example vars cat vars # initialized to create pki directory and various sub-directories ./easyrsa init-pki force |
You’ll get output like this :
1 2 | .. Your newly created PKI dir is: /home/user-name/EasyRSA-v3.0.6/pki |
Now we need to edit that vars file :
1 2 | nano vars # vi vars |
Your edit should make the file looking like this :
1 2 3 4 5 6 7 8 | . . . set_var EASYRSA_REQ_COUNTRY "IN" set_var EASYRSA_REQ_PROVINCE "WestBengal" set_var EASYRSA_REQ_CITY "Kolkata" set_var EASYRSA_REQ_ORG "The Customize Windows Consultancy" set_var EASYRSA_REQ_EMAIL "admin@thecustomizewindows.com" set_var EASYRSA_REQ_OU "Blog Department" |
Again, we need to call the easyrsa script for the build-ca option which will build the CA and create two required files ca.crt and ca.key. We do not need password hence we will run :
1 | ./easyrsa build-ca nopass |
To generate CA certificate use something similar to:
1 2 | echo "ca.thecustomizewindows.com" > input.txt ./easyrsa build-ca nopass < input.txt |
There are various methods for generating server or client certificates. Such as, on CA server we can use the build-server-full or build-client full script.
Another way is to copy the easy-rsa scripts on target server and generating certificate request. This request will be imported in next step and signed on CA server. Then the signed certificate will be transferred back to the server which generated the request. To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use something like:
1 | ./easyrsa build-client-full abhishek@thecustomizewindows.com nopass |
Your PKI dir was at /home/user-name/EasyRSA-v3.0.6/pki. The above commond will create ..pki/private/vpn.thecustomizewindows.com.key and ..pki/issued/vpn.thecustomizewindows.com.crt. To export CA certificate in PKCS#12 format use:
1 | ./easyrsa export-p12 abhishek@thecustomizewindows.com |
Update the status of the certificates in index file:
1 | ./easyrsa update-db |
To generate DH parameters use:
1 | ./easyrsa gen-dh |
