From Notes Wiki
Jump to: navigation, search

easy-rsa

Easy rsa scripts help with creating and managing certificates by using openssl. Various operations that can be done with help of easy-rsa scripts are mentioned here.

Downloading easy-rsa scripts

Download easy-rsa scripts from https://github.com/OpenVPN/easy-rsa/releases Download EasyRSA-<ver>.tgz file.


Initialize pki infrastructure

Before easy-rsa scripts are used the folder should be initialized to create pki directory and various sub-directories. Do not do this on existing installation as the steps will remove all existing certificates.

    ./easyrsa init-pki force
    cp vars.example vars

Append following to vars file

    set_var EASYRSA_REQ_COUNTRY     "IN"
    set_var EASYRSA_REQ_PROVINCE    "Andhra Pradesh"
    set_var EASYRSA_REQ_CITY        "Hyderabad"
    set_var EASYRSA_REQ_ORG         "Rekall Software"
    set_var EASYRSA_REQ_EMAIL       "saurabh@example.com"
    set_var EASYRSA_REQ_OU          "IT Department"


Generating CA certificate

To generate CA certificate use something similar to:

    echo "ca.sbarjatiya.com" > input.txt
    ./easyrsa build-ca nopass < input.txt

This will create pki/private/ca.key and pki/ca.crt


Various methods for generating server or client certificates

Please note that there are two ways to generate server or client certificate:

  1. On CA server using build-server-full or build-client full
    In this case the certificate and private key are generated on CA machine. After generation they should be copied to the actual server
  2. By setting up another copy of easy-rsa scripts on destination server and generating certificate request. This request is then imported and signed on CA server. The signed certificate is then transferred back to the server which generated request.


Generating request

To generate a new certificate request after deleting old certificates with same name, if any, use:

    rm -f pki/reqs/vpn.sbarjatiya.com.req
    rm -f pki/issued/vpn.sbarjatiya.com.crt
    rm -f pki/private/vpn.sbarjatiya.com.key
    echo "vpn.sbarjatiya.com" > input.txt
    ./easyrsa gen-req vpn.sbarjatiya.com nopass < input.txt

This will create pki/private/vpn.sbarjatiya.com.key and pki/reqs/vpn.sbarjatiya.com.req.


Importing request

If certificate request is created using other open-rsa installation and the request should be signed by CA certificate then first the request has to be imported using:

    rm -f pki/reqs/vpn.sbarjatiya.com.req
    rm -f pki/issued/vpn.sbarjatiya.com.crt
    rm -f pki/private/vpn.sbarjatiya.com.key
    ./easyrsa import-req /tmp/vpn.sbarjatiya.com.req vpn.sbarjatiya.com


Sign imported request

After importing certificate request on CA server it can be signed using:

    echo "yes" > input.txt
    ./easyrsa sign-req server vpn.sbarjatiya.com < input.txt

This will create pki/issued/vpn.sbarjatiya.com.crt


Look at certificate details

To find details of any certificate which is issued by current CA use:

    ./easyrsa show-cert vpn.sbarjatiya.com


Generate DH parameters

To generate DH parameters use:

    ./easyrsa gen-dh

This will create pki/dh.pem file.


Revoking a certificate

To revoke a compromised certificate use:

    echo "yes" > input.txt
    ./easyrsa revoke vpn.sbarjatiya.com < input.txt


Generate latest CRL

To generate a CRL from revoke certificates use:

    ./easyrsa gen-crl

This will create pki/crl.pem which should be published to all servers relying on current CA


Build full-server-certificate and key on CA server

To build full-server-certificate directly on CA without requiring generating and importing certificate request from server use:

    rm -f pki/reqs/vpn.sbarjatiya.com.req
    rm -f pki/issued/vpn.sbarjatiya.com.crt
    rm -f pki/private/vpn.sbarjatiya.com.key
    ./easyrsa build-server-full vpn.sbarjatiya.com nopass

This will create pki/private/vpn.sbarjatiya.com.key and pki/issued/vpn.sbarjatiya.com.crt


Build full-client-certificate and key on CA server

To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use:

    rm -f pki/reqs/saurabh@example.com.req
    rm -f pki/issued/saurabh@example.com.crt
    rm -f pki/private/saurabh@example.com.key
    ./easyrsa build-client-full saurabh@example.com nopass


Exporting PKCS#12 with desired export password

To export CA certificate in PKCS#12 format so that it can be imported into various software for personal identification use:

    cat > export.sh <<EOF
    #!/usr/bin/expect -f
    spawn ./easyrsa export-p12 saurabh@example.com
    expect "Password:" 
    send "secret\r"
    expect "Password:" 
    send "secret\r"
    expect "anything that will surely not be there on page"
    send_user "$expect_out(buffer)"
    EOF

    chmod +x export.sh
    ./export.sh


Update status of index with current time

To update status of various certificates in index file with respect to current time use:

    ./easyrsa update-db


Deployment

Checking SSL connection with chosen CA certificate

Following command can help in checking whether SSL connection can be established to a secure server using given CA:

openssl s_client -connect <server>:<port> -CAfile ca.crt

Use proper name of server and not IP address.


Configuring system to trust created CA

For most clients such as firefox the CA can be installed using application options. But for yum, wget, etc. the CA certificate should be installed for complete system using:

update-ca-trust enable
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

This allows securing repository servers (createrepo) with certificates signed with generated CA without having yum or wget complain about it.