wiki:EasyRSA3-Insecure-PKI

Version 11 (modified by JoshC, 10 years ago) (diff)

keep client/server items together

EasyRSA v3 Insecure PKI Howto

This page is for people who want an "all-in-one" PKI. This is an INSECURE way to create your PKI. Be very sure you don't want to follow the more appropriate EasyRSA3 OpenVPN Howto before following this guide.

Why to avoid this

If you generate your PKI "all in one" you need to transport your private keys to your servers and clients. This means you are exposing the private keys to compromise and can no longer assure that they exist only on the target system. This reduces your security, and should be selected only when you understand the security trade-offs involved.

Why would you ever want this

If this is insecure, why is this useful?

Some people don't want a separate PKI directory for their CA, server, and client. These instructions might feel "easier" for people who are averse to creating 3 PKI directories and generating keys on their client & server and copying and pasting the request details to the CA system.

The method described here takes shortcuts to avoid transporting the request, but in return you must transport private keys instead. This is not ideal from a security standpoint, but advanced users may want this functionality for specific use-cases.

Procedure

If you want this, blindly copy the following procedure:

  1. Extract the EasyRSA v3 zip or tarball
  1. Create your PKI environment on your CA system (one-time operation) with:
    ./easyrsa init-pki
    
  1. Build the CA (one-time operation, this passphrase required for all signing operations) with:
    ./easyrsa build-ca
    
  1. Build a server keypair, required for each server (key UNENCRYPTED -- TREAT WITH CARE) with:
    ./easyrsa build-server-full server1 nopass
    
    1. WARNING: if this key is ever accessed, the person with access will be able to impersonate your server
  1. Generate a server DH key (not security-sensitive) with:
    ./easyrsa gen-dh
    
  1. Send the server.key, server.crt, ca.crt, and dh.pem to your server
    1. WARNING: if this key is ever cloned in transit, the person with access will be able to impersonate your server
  1. Build a client keypair, required for each client (key encrypted -- remember and TREAT THIS PASSPHRASE WITH CARE) with:
    ./easyrsa build-client-full client1
    
    1. WARNING: if this key is ever accessed, the person with access can attempt a passphrase search or brute-force attempt on the key. If successful, the attacker will be able to impersonate your client
  1. Send the client key, client crt, and ca.crt to your client.
    1. WARNING: if this key is ever cloned in transit, the person with access can attempt a passphrase search or brute-force attempt on the key. If successful, the attacker will be able to impersonate your client
    2. WARNING: you must send the recipient of the client key the passphrase used to create it. If an attacker is able to gain access to both the passphrase and the encrypted key, they will be able to impersonate your client

Supporting additional clients

If you have another client, repeat steps 5 and 8 above. Note that you need to use a unique name, so "client2" instead of "client1" for example.

Supporting additional servers

If you have additional severs, repeat steps 4 and 7 above. Note that you need to use a unique name, so "server2" instead of "server1" for example.