Easy rsa scripts help with creating and managing certificates by using openssl. Various operations that can be done with help of easy-rsa scripts are mentioned here.
Downloading easy-rsa scripts
Download easy-rsa scripts from https://github.com/OpenVPN/easy-rsa/releases Download EasyRSA-<ver>.tgz file.
Initialize pki infrastructure
Before easy-rsa scripts are used the folder should be initialized to create pki directory and various sub-directories. Do not do this on existing installation as the steps will remove all existing certificates.
./easyrsa init-pki force cp vars.example vars
Append following to vars file
set_var EASYRSA_REQ_COUNTRY "IN" set_var EASYRSA_REQ_PROVINCE "Andhra Pradesh" set_var EASYRSA_REQ_CITY "Hyderabad" set_var EASYRSA_REQ_ORG "Rekall Software" set_var EASYRSA_REQ_EMAIL "firstname.lastname@example.org" set_var EASYRSA_REQ_OU "IT Department"
Generating CA certificate
To generate CA certificate use something similar to:
echo "ca.sbarjatiya.com" > input.txt ./easyrsa build-ca nopass < input.txt
This will create pki/private/ca.key and pki/ca.crt
Various methods for generating server or client certificates
Please note that there are two ways to generate server or client certificate:
- On CA server using build-server-full or build-client full
- In this case the certificate and private key are generated on CA machine. After generation they should be copied to the actual server
- By setting up another copy of easy-rsa scripts on destination server and generating certificate request. This request is then imported and signed on CA server. The signed certificate is then transferred back to the server which generated request.
To generate a new certificate request after deleting old certificates with same name, if any, use:
rm -f pki/reqs/vpn.sbarjatiya.com.req rm -f pki/issued/vpn.sbarjatiya.com.crt rm -f pki/private/vpn.sbarjatiya.com.key echo "vpn.sbarjatiya.com" > input.txt ./easyrsa gen-req vpn.sbarjatiya.com nopass < input.txt
This will create pki/private/vpn.sbarjatiya.com.key and pki/reqs/vpn.sbarjatiya.com.req.
If certificate request is created using other open-rsa installation and the request should be signed by CA certificate then first the request has to be imported using:
rm -f pki/reqs/vpn.sbarjatiya.com.req rm -f pki/issued/vpn.sbarjatiya.com.crt rm -f pki/private/vpn.sbarjatiya.com.key ./easyrsa import-req /tmp/vpn.sbarjatiya.com.req vpn.sbarjatiya.com
Sign imported request
After importing certificate request on CA server it can be signed using:
echo "yes" > input.txt ./easyrsa sign-req server vpn.sbarjatiya.com < input.txt
This will create pki/issued/vpn.sbarjatiya.com.crt
Look at certificate details
To find details of any certificate which is issued by current CA use:
./easyrsa show-cert vpn.sbarjatiya.com
Generate DH parameters
To generate DH parameters use:
This will create pki/dh.pem file.
Revoking a certificate
To revoke a compromised certificate use:
echo "yes" > input.txt ./easyrsa revoke vpn.sbarjatiya.com < input.txt
Generate latest CRL
To generate a CRL from revoke certificates use:
This will create pki/crl.pem which should be published to all servers relying on current CA
Build full-server-certificate and key on CA server
To build full-server-certificate directly on CA without requiring generating and importing certificate request from server use:
rm -f pki/reqs/vpn.sbarjatiya.com.req rm -f pki/issued/vpn.sbarjatiya.com.crt rm -f pki/private/vpn.sbarjatiya.com.key ./easyrsa build-server-full vpn.sbarjatiya.com nopass
This will create pki/private/vpn.sbarjatiya.com.key and pki/issued/vpn.sbarjatiya.com.crt
Build full-client-certificate and key on CA server
To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use:
rm -f email@example.com rm -f firstname.lastname@example.org rm -f email@example.com ./easyrsa build-client-full firstname.lastname@example.org nopass
Exporting PKCS#12 with desired export password
To export CA certificate in PKCS#12 format so that it can be imported into various software for personal identification use:
cat > export.sh <<EOF #!/usr/bin/expect -f spawn ./easyrsa export-p12 email@example.com expect "Password:" send "secret\r" expect "Password:" send "secret\r" expect "anything that will surely not be there on page" send_user "$expect_out(buffer)" EOF chmod +x export.sh ./export.sh
Update status of index with current time
To update status of various certificates in index file with respect to current time use:
Checking SSL connection with chosen CA certificate
Following command can help in checking whether SSL connection can be established to a secure server using given CA:
openssl s_client -connect <server>:<port> -CAfile ca.crt
Use proper name of server and not IP address.
Configuring system to trust created CA
For most clients such as firefox the CA can be installed using application options. But for yum, wget, etc. the CA certificate should be installed for complete system using:
update-ca-trust enable cp ca.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust extract
This allows securing repository servers (createrepo) with certificates signed with generated CA without having yum or wget complain about it.