Changes between Initial Version and Version 1 of EasyRSA3-OpenVPN-Howto

11/25/13 20:33:08 (10 years ago)



  • EasyRSA3-OpenVPN-Howto

    v1 v1  
     1= Easyrsa3 OpenVPN Howto =
     3This page is quite limited now; expansion is needed.
     5== Process Overview ==
     7The best way to create a PKI for OpenVPN is to separate your CA duty from each server & client. The CA should ideally be on a secure environment (whatever that means to you.) Loss/theft of the CA key destroys the security of the entire PKI.
     9== Separate CA system procedure ==
     11Pick a location for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate your client & server certs on each client for best security.
     13You will end up with the following locations used in the steps below:
     15CA:: your secured CA environment
     16entity:: each client and server has their own, separate environment
     181. On the CA, start a new PKI and build a CA keypair/cert:
     20./easyrsa init-pki
     21./easyrsa build-ca
     242. On each entity, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request as follows:
     26./easyrsa init-pki
     27./easyrsa gen-req UNIQUE_NAME_HERE
     303. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.
     324. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. Optionally, the imported request details can be displayed after importing. This basically just copies the request file into `reqs/` under the PKI dir.
     34./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
     375. Optionally review the request details, then sign it as one of the types: server or client. Additional types may be defined on a PKI or site-wide basis (consult advanced docs.)
     38  A. (optional) review the request:
     40./easyrsa show-req UNIQUE_SHORT_FILE_NAME
     42  B. Sign as a client:
     44./easyrsa sign client UNIQUE_SHORT_FILE_NAME
     46  C. Sign as a server:
     48./easyrsa sign server UNIQUE_SHORT_FILE_NAME
     516. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.