Changes between Version 9 and Version 10 of EasyRSA3-OpenVPN-Howto
- Timestamp:
- 12/17/13 23:08:29 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
EasyRSA3-OpenVPN-Howto
v9 v10 19 19 == PKI procedure: using a separate CA system == 20 20 21 Pick locations for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate your client & server requests/keys on each system for best security.21 Pick locations for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate a server request on the actual server system, and your client requests on each client. 22 22 23 23 You will end up with the following locations used in the steps below: 24 24 25 CA:: your secured CA environment 26 entity:: each client and server has their own, separate environment; this will usually include at least 2 locations, one for the server and another for your client (on their respective machines.) 25 CA:: your secured CA environment; this will be on a separate system, or at least a separate directory from anything else 26 server:: each server has a unique directory for its own key & request (on the actual server system) 27 entity:: each client has a unique directory for its own key & request (on the actual client system) 27 28 28 29 1. On the CA, start a new PKI and build a CA keypair/cert: … … 32 33 }}} 33 34 34 2. On each entity, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request as follows: 35 2. On each server system, generate a keypair and request. Normally these are left unencrypted by using the "nopass" argument since servers usually start up without any password input. This generates an '''unencrypted''' key, so protect its access and file permissions carefully. 36 {{{ 37 ./easyrsa init-pki 38 ./easyrsa gen-req SERVER_COMMON_NAME 39 }}} 40 41 3. On each client, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request on each client as follows: 35 42 {{{ 36 43 ./easyrsa init-pki 37 44 ./easyrsa gen-req UNIQUE_NAME_HERE 38 45 }}} 39 A. Optionally, the private key can be left unencrypted on-disk with the additional `nopass` option after the name. This is '''not''' recommended unless automated VPN startup is required ; you may want this for your server keys, so keep this in mind. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.46 A. Optionally, the private key can be left unencrypted on-disk with the additional `nopass` option after the name. This is '''not''' recommended unless automated VPN startup is required. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use. 40 47 41 3. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.48 4. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted. 42 49 43 4. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. Optionally, the imported request details can be displayed after importing. This basically just copies the request file into `reqs/` under the PKI dir.50 5. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. Optionally, the imported request details can be displayed after importing. This basically just copies the request file into `reqs/` under the PKI dir. 44 51 {{{ 45 52 ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME 46 53 }}} 47 54 48 5. Optionally review the request details, then sign it as one of the types: server or client. Additional types may be defined on a PKI or site-wide basis (consult advanced docs.) 55 6. Review the request details if you wish, then sign it as one of the types: server or client. 49 56 A. (optional) review the request: 50 57 {{{ … … 60 67 }}} 61 68 62 6. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.69 7. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted. 63 70 64 71 == DH Generation == 65 72 66 On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive .73 On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive and are used only by an OpenVPN server. 67 74 68 75 {{{