easy-rsa is a CLI utility to build and manage a PKI CA (Public Key Infrastructure). In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including sub-CAs and certificate revokation lists (CRL). These certificates are valid as per X509 can be used for authentication purposes (e.g. vpn, wireless, encryption).
(Setting up on Linux)
Earlier versions of Openvpn-setup used to include a copy of the 'easy-rsa' scripts in a directory under the OpenVPN documentation (/usr/share/doc/openvpn/examples/), however, since several significant improvements to the easy-rsa scripts have given them a life of their own these scripts have undergone some name changes and are now installed in /usr/bin and /usr/share/easy-rsa/. On major linux distributions they are now kept in their own installer package. The central repository for the latest version of easy-rsa is on Github at https://github.com/OpenVPN/easy-rsa.
Below are examples on how to set up your own PKI
easy-rsa v1.x and 2.0
This is the version that came bundled with OpenVPN and lives in the /usr/share/doc/openvpn/examples/easy-rsa/ directory
- Copy the Certification Authority scripts from the OpenVPN examples directory
# mkdir /etc/openvpn/easy-rsa # cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
- Edit /etc/openvpn/easy-rsa/vars according to your organisation. Probably just the lines at the bottom of the file.
- Prepare the CA environment
# cd /etc/openvpn/easy-rsa/ # . ./vars # ./clean-all
Generate CA, server and client certificates
- Generate CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY:
- Generate BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY:
- Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection):
# ./build-ca # ./build-key-server server # ./build-dh
- Generate a key for each client:
# ./build-key clientname
This is the version that is installed as a separate, required package when installing OpenVPN v2.3 (on Debian Jessie).
First, run the script to put symlinks and some config files into a new directory (the script will create this directory)
cd /etc/openvpn make-cadir my_ca cd my_ca
Several files have now been created. Most of them are symlinks to scripts that create the various PKI parts.
Next, open up the 'vars' file and update the relevant company information at the end of the document. All other information in the vars file can be left as-is.
vi vars (and update company information)
Then we'll run the vars script (chmod it to 700 it it's not set executable) to set several environment variables into memory. You'll need to do this every time you wish to perform any of the other PKI operations such as creating a new set of client certificates.
This command should not produce any significant errors or warnings.
Then we get to the heart of the matter; setting up the CA. This step is only required once and will create a cryptograhically strong certificate that all other certificates depend on.
./clean-all (delete any keys from the /keys directory) ./build-dh (generate the diffie-hellman keypairs for entropy) ./pkitool --initca (create a simple certificate database) ./pkitool --server myserver (create a strong CA private and public key certificate)
We now have a CA that is able to generate PKI operations such as generating client certificates.
To create a new client certificate key pair:
./vars (in case you haven't done so already) ./pkitool client1
This is the latest version of easy-rsa and I have not yet seen it bundled with OpenVPN on Linux.
The instructions are available on the easy-rsa website:
Overview of generated files
Certificate Authority public key. This file is required for clients to connect to the server. It confirms that the client keys (public and private) have been issued by this CA. This file may be transmitted over an insecure channel and can be left accessible for the world to see.
Certificate Authority private key. This file is used to issue and sign new client certificates. It must be kept secret. Chmod to 400 on the server. This file should not leave the server.
- dh1024.pem (or dh2038.pem, or dh4096.pem)
Diffie-Hellman parameters. This file contains the entropy required to produce big prime numbers for strong encryption. This file may be flagged chmod 644 but does not need to leave the server as it only has value for generating new client key pairs.
Client public key. This file is required for clients to connect to the server. This file may be transmitted over an insecure channel and can be left accessible for the world to see.
Client private key. This file is required for clients to connect to the server. It must be kept secret. Chmod to 400 if possible. This file should not leave the client computer.