wiki:EasyRSA3-Insecure-PKI

Version 4 (modified by JoshC, 10 years ago) (diff)

add warning about client key passphrase transport

EasyRSA v3 Insecure PKI Howto

This page is for people who want an "all-in-one" PKI. This is an INSECURE way to create your PKI. Be very sure you don't want to follow the more appropriate EasyRSA3 OpenVPN Howto before following this guide.

Why to avoid this

If you generate your PKI "all in one" you need to transport your private keys to your servers and clients. This means you are exposing the private keys to compromise and can no longer assure that they exist only on the target system. This reduces your security, and should be selected only when you understand the security trade-offs involved.

Procedure

If you want this, blindly copy the following procedure:

  1. Extract the EasyRSA v3 zip or tarball
  1. Create your PKI environment on your CA system (one-time operation) with: 
    ./easyrsa init-pki
  1. Build the CA (one-time operation, this passphrase required for all signing operations) with: 
    ./easyrsa build-ca
  1. Build a server keypair, required for each server (key UNENCRYPTED -- TREAT WITH CARE) with: 
    ./easyrsa build-server-full server1 nopass
    1. WARNING: if this key is ever accessed, the person with access will be able to impersonate your server
  1. Build a client keypair, required for each client (key encrypted -- remember and TREAT THIS PASSPHRASE WITH CARE) with: 
    ./easyrsa build-client-full client1
    1. WARNING: if this key is ever accessed, the person with access can attempt a passphrase search or brute-force attempt on the key. If successful, the attacker will be able to impersonate your client
  1. Generate a server DH key (not security-sensitive) with: 
    ./easyrsa gen-dh
  1. Send the server.key, server.crt, ca.crt, and dh.pem to your server
    1. WARNING: if this key is ever cloned in transit, the person with access will be able to impersonate your server
  1. Send the client key, client crt, and ca.crt to your client.
    1. WARNING: if this key is ever cloned in transit, the person with access can attempt a passphrase search or brute-force attempt on the key. If successful, the attacker will be able to impersonate your client
    2. WARNING: you must send the recipient of the client key the passphrase used to create it. If an attacker is able to gain access to both the passphrase and the encrypted key, they will be able to impersonate your client