Difference between revisions of "Easy-rsa"

From Notes_Wiki
m
m
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[Easy-rsa]]
=easy-rsa=
 
=About easy-rsa=


Easy rsa scripts help with creating and managing certificates by using openssl.  Various operations that can be done with help of easy-rsa scripts are mentioned here.
Easy rsa scripts help with creating and managing certificates by using openssl.  Various operations that can be done with help of easy-rsa scripts are mentioned here.
Line 22: Line 23:
     set_var EASYRSA_REQ_PROVINCE    "Andhra Pradesh"
     set_var EASYRSA_REQ_PROVINCE    "Andhra Pradesh"
     set_var EASYRSA_REQ_CITY        "Hyderabad"
     set_var EASYRSA_REQ_CITY        "Hyderabad"
     set_var EASYRSA_REQ_ORG        "IIIT Hyderabad"
     set_var EASYRSA_REQ_ORG        "Rekall Software"
     set_var EASYRSA_REQ_EMAIL      "barjatiya.saurabh@gmail.com"
     set_var EASYRSA_REQ_EMAIL      "saurabh@example.com"
     set_var EASYRSA_REQ_OU          "Server room"
     set_var EASYRSA_REQ_OU          "IT Department"
</pre>
</pre>


Line 32: Line 33:
To generate CA certificate use something similar to:
To generate CA certificate use something similar to:
<pre>
<pre>
     echo "ca.iiit.ac.in" > input.txt
     echo "ca.sbarjatiya.com" > input.txt
     ./easyrsa build-ca nopass < input.txt
     ./easyrsa build-ca nopass < input.txt
</pre>
</pre>
Line 50: Line 51:
To generate a new certificate request after deleting old certificates with same name, if any, use:
To generate a new certificate request after deleting old certificates with same name, if any, use:
<pre>
<pre>
     rm -f pki/reqs/vpn.iiit.ac.in.req
     rm -f pki/reqs/vpn.sbarjatiya.com.req
     rm -f pki/issued/vpn.iiit.ac.in.crt
     rm -f pki/issued/vpn.sbarjatiya.com.crt
     rm -f pki/private/vpn.iiit.ac.in.key
     rm -f pki/private/vpn.sbarjatiya.com.key
     echo "vpn.iiit.ac.in" > input.txt
     echo "vpn.sbarjatiya.com" > input.txt
     ./easyrsa gen-req vpn.iiit.ac.in nopass < input.txt
     ./easyrsa gen-req vpn.sbarjatiya.com nopass < input.txt
</pre>
</pre>
This will create pki/private/vpn.iiit.ac.in.key and pki/reqs/vpn.iiit.ac.in.req.
This will create pki/private/vpn.sbarjatiya.com.key and pki/reqs/vpn.sbarjatiya.com.req.




Line 62: Line 63:
If certificate request is created using other open-rsa installation and the request should be signed by CA certificate then first the request has to be imported using:
If certificate request is created using other open-rsa installation and the request should be signed by CA certificate then first the request has to be imported using:
<pre>
<pre>
     rm -f pki/reqs/vpn.iiit.ac.in.req
     rm -f pki/reqs/vpn.sbarjatiya.com.req
     rm -f pki/issued/vpn.iiit.ac.in.crt
     rm -f pki/issued/vpn.sbarjatiya.com.crt
     rm -f pki/private/vpn.iiit.ac.in.key
     rm -f pki/private/vpn.sbarjatiya.com.key
     ./easyrsa import-req /tmp/vpn.iiit.ac.in.req vpn.iiit.ac.in
     ./easyrsa import-req /tmp/vpn.sbarjatiya.com.req vpn.sbarjatiya.com
</pre>
</pre>


Line 74: Line 75:
<pre>
<pre>
     echo "yes" > input.txt
     echo "yes" > input.txt
     ./easyrsa sign-req server vpn.iiit.ac.in < input.txt
     ./easyrsa sign-req server vpn.sbarjatiya.com < input.txt
</pre>
</pre>
This will create pki/issued/vpn.iiit.ac.in.crt
This will create pki/issued/vpn.sbarjatiya.com.crt




Line 83: Line 84:
To find details of any certificate which is issued by current CA use:
To find details of any certificate which is issued by current CA use:
<pre>
<pre>
     ./easyrsa show-cert vpn.iiit.ac.in
     ./easyrsa show-cert vpn.sbarjatiya.com
</pre>
</pre>


Line 100: Line 101:
<pre>
<pre>
     echo "yes" > input.txt
     echo "yes" > input.txt
     ./easyrsa revoke vpn.iiit.ac.in < input.txt
     ./easyrsa revoke vpn.sbarjatiya.com < input.txt
</pre>
</pre>


Line 116: Line 117:
To build full-server-certificate directly on CA without requiring generating and importing certificate request from server use:
To build full-server-certificate directly on CA without requiring generating and importing certificate request from server use:
<pre>
<pre>
     rm -f pki/reqs/vpn.iiit.ac.in.req
     rm -f pki/reqs/vpn.sbarjatiya.com.req
     rm -f pki/issued/vpn.iiit.ac.in.crt
     rm -f pki/issued/vpn.sbarjatiya.com.crt
     rm -f pki/private/vpn.iiit.ac.in.key
     rm -f pki/private/vpn.sbarjatiya.com.key
     ./easyrsa build-server-full vpn.iiit.ac.in nopass
     ./easyrsa build-server-full vpn.sbarjatiya.com nopass
</pre>
</pre>
This will create pki/private/vpn.iiit.ca.in.key and pki/issued/vpn.iiit.ac.in.crt
This will create pki/private/vpn.sbarjatiya.com.key and pki/issued/vpn.sbarjatiya.com.crt




Line 128: Line 129:
To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use:
To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use:
<pre>
<pre>
     rm -f pki/reqs/saurabh.barjatiya@iiit.ac.in.req
     rm -f pki/reqs/saurabh@example.com.req
     rm -f pki/issued/saurabh.barjatiya@iiit.ac.in.crt
     rm -f pki/issued/saurabh@example.com.crt
     rm -f pki/private/saurabh.barjatiya@iiit.ac.in.key
     rm -f pki/private/saurabh@example.com.key
     ./easyrsa build-client-full saurabh.barjatiya@iiit.ac.in nopass
     ./easyrsa build-client-full saurabh@example.com nopass
</pre>
</pre>
      
      
Line 141: Line 142:
     cat > export.sh <<EOF
     cat > export.sh <<EOF
     #!/usr/bin/expect -f
     #!/usr/bin/expect -f
     spawn ./easyrsa export-p12 saurabh.barjatiya@iiit.ac.in
     spawn ./easyrsa export-p12 saurabh@example.com
     expect "Password:"  
     expect "Password:"  
     send "secret\r"
     send "secret\r"
Line 164: Line 165:
=Deployment=
=Deployment=


==Checking SSL connection with chosen CA certificate==
Following command can help in checking whether SSL connection can be established to a secure server using given CA:
Following command can help in checking whether SSL connection can be established to a secure server using given CA:
<pre>
<pre>
Line 170: Line 172:
Use proper name of server and not IP address.
Use proper name of server and not IP address.


<yambe:breadcrumb>Security_tools|Security tools</yambe:breadcrumb>
 
==Configuring system to trust created CA==
 
For most clients such as firefox the CA can be installed using application options.  But for yum, wget, etc. the CA certificate should be installed for complete system using:
<pre>
update-ca-trust enable
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
</pre>
This allows securing repository servers ([[createrepo]]) with certificates signed with generated CA without having yum or wget complain about it.
 
 
 
 
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Security tools]] > [[Easy-rsa]]

Latest revision as of 16:03, 24 March 2022

Home > CentOS > CentOS 6.x > Security tools > Easy-rsa

About easy-rsa

Easy rsa scripts help with creating and managing certificates by using openssl. Various operations that can be done with help of easy-rsa scripts are mentioned here.

Downloading easy-rsa scripts

Download easy-rsa scripts from https://github.com/OpenVPN/easy-rsa/releases Download EasyRSA-<ver>.tgz file.


Initialize pki infrastructure

Before easy-rsa scripts are used the folder should be initialized to create pki directory and various sub-directories. Do not do this on existing installation as the steps will remove all existing certificates.

    ./easyrsa init-pki force
    cp vars.example vars

Append following to vars file

    set_var EASYRSA_REQ_COUNTRY     "IN"
    set_var EASYRSA_REQ_PROVINCE    "Andhra Pradesh"
    set_var EASYRSA_REQ_CITY        "Hyderabad"
    set_var EASYRSA_REQ_ORG         "Rekall Software"
    set_var EASYRSA_REQ_EMAIL       "saurabh@example.com"
    set_var EASYRSA_REQ_OU          "IT Department"


Generating CA certificate

To generate CA certificate use something similar to:

    echo "ca.sbarjatiya.com" > input.txt
    ./easyrsa build-ca nopass < input.txt

This will create pki/private/ca.key and pki/ca.crt


Various methods for generating server or client certificates

Please note that there are two ways to generate server or client certificate:

  1. On CA server using build-server-full or build-client full
    In this case the certificate and private key are generated on CA machine. After generation they should be copied to the actual server
  2. By setting up another copy of easy-rsa scripts on destination server and generating certificate request. This request is then imported and signed on CA server. The signed certificate is then transferred back to the server which generated request.


Generating request

To generate a new certificate request after deleting old certificates with same name, if any, use:

    rm -f pki/reqs/vpn.sbarjatiya.com.req
    rm -f pki/issued/vpn.sbarjatiya.com.crt
    rm -f pki/private/vpn.sbarjatiya.com.key
    echo "vpn.sbarjatiya.com" > input.txt
    ./easyrsa gen-req vpn.sbarjatiya.com nopass < input.txt

This will create pki/private/vpn.sbarjatiya.com.key and pki/reqs/vpn.sbarjatiya.com.req.


Importing request

If certificate request is created using other open-rsa installation and the request should be signed by CA certificate then first the request has to be imported using:

    rm -f pki/reqs/vpn.sbarjatiya.com.req
    rm -f pki/issued/vpn.sbarjatiya.com.crt
    rm -f pki/private/vpn.sbarjatiya.com.key
    ./easyrsa import-req /tmp/vpn.sbarjatiya.com.req vpn.sbarjatiya.com


Sign imported request

After importing certificate request on CA server it can be signed using:

    echo "yes" > input.txt
    ./easyrsa sign-req server vpn.sbarjatiya.com < input.txt

This will create pki/issued/vpn.sbarjatiya.com.crt


Look at certificate details

To find details of any certificate which is issued by current CA use:

    ./easyrsa show-cert vpn.sbarjatiya.com


Generate DH parameters

To generate DH parameters use:

    ./easyrsa gen-dh

This will create pki/dh.pem file.


Revoking a certificate

To revoke a compromised certificate use:

    echo "yes" > input.txt
    ./easyrsa revoke vpn.sbarjatiya.com < input.txt


Generate latest CRL

To generate a CRL from revoke certificates use:

    ./easyrsa gen-crl

This will create pki/crl.pem which should be published to all servers relying on current CA


Build full-server-certificate and key on CA server

To build full-server-certificate directly on CA without requiring generating and importing certificate request from server use:

    rm -f pki/reqs/vpn.sbarjatiya.com.req
    rm -f pki/issued/vpn.sbarjatiya.com.crt
    rm -f pki/private/vpn.sbarjatiya.com.key
    ./easyrsa build-server-full vpn.sbarjatiya.com nopass

This will create pki/private/vpn.sbarjatiya.com.key and pki/issued/vpn.sbarjatiya.com.crt


Build full-client-certificate and key on CA server

To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use:

    rm -f pki/reqs/saurabh@example.com.req
    rm -f pki/issued/saurabh@example.com.crt
    rm -f pki/private/saurabh@example.com.key
    ./easyrsa build-client-full saurabh@example.com nopass


Exporting PKCS#12 with desired export password

To export CA certificate in PKCS#12 format so that it can be imported into various software for personal identification use:

    cat > export.sh <<EOF
    #!/usr/bin/expect -f
    spawn ./easyrsa export-p12 saurabh@example.com
    expect "Password:" 
    send "secret\r"
    expect "Password:" 
    send "secret\r"
    expect "anything that will surely not be there on page"
    send_user "$expect_out(buffer)"
    EOF

    chmod +x export.sh
    ./export.sh


Update status of index with current time

To update status of various certificates in index file with respect to current time use:

    ./easyrsa update-db


Deployment

Checking SSL connection with chosen CA certificate

Following command can help in checking whether SSL connection can be established to a secure server using given CA:

openssl s_client -connect <server>:<port> -CAfile ca.crt

Use proper name of server and not IP address.


Configuring system to trust created CA

For most clients such as firefox the CA can be installed using application options. But for yum, wget, etc. the CA certificate should be installed for complete system using:

update-ca-trust enable
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

This allows securing repository servers (createrepo) with certificates signed with generated CA without having yum or wget complain about it.



Home > CentOS > CentOS 6.x > Security tools > Easy-rsa