Changes between Version 9 and Version 10 of EasyRSA3-OpenVPN-Howto


Ignore:
Timestamp:
12/17/13 23:08:29 (10 years ago)
Author:
JoshC
Comment:

separate server/client generation steps

Legend:

Unmodified
Added
Removed
Modified

  • EasyRSA3-OpenVPN-Howto

    v9 v10  
    1919== PKI procedure: using a separate CA system ==
    2020
    21 Pick locations for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate your client & server requests/keys on each system for best security.
     21Pick locations for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate a server request on the actual server system, and your client requests on each client.
    2222
    2323You will end up with the following locations used in the steps below:
    2424
    25  CA:: your secured CA environment
    26  entity:: each client and server has their own, separate environment; this will usually include at least 2 locations, one for the server and another for your client (on their respective machines.)
     25 CA:: your secured CA environment; this will be on a separate system, or at least a separate directory from anything else
     26 server:: each server has a unique directory for its own key & request (on the actual server system)
     27 entity:: each client has a unique directory for its own key & request (on the actual client system)
    2728
    28291. On the CA, start a new PKI and build a CA keypair/cert:
     
    3233}}}
    3334
    34 2. On each entity, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request as follows:
     352. On each server system, generate a keypair and request. Normally these are left unencrypted by using the "nopass" argument since servers usually start up without any password input. This generates an '''unencrypted''' key, so protect its access and file permissions carefully.
     36{{{
     37./easyrsa init-pki
     38./easyrsa gen-req SERVER_COMMON_NAME
     39}}}
     40
     413. On each client, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request on each client as follows:
    3542{{{
    3643./easyrsa init-pki
    3744./easyrsa gen-req UNIQUE_NAME_HERE
    3845}}}
    39   A. Optionally, the private key can be left unencrypted on-disk with the additional `nopass` option after the name. This is '''not''' recommended unless automated VPN startup is required; you may want this for your server keys, so keep this in mind. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.
     46  A. Optionally, the private key can be left unencrypted on-disk with the additional `nopass` option after the name. This is '''not''' recommended unless automated VPN startup is required. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.
    4047
    41 3. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.
     484. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.
    4249
    43 4. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. Optionally, the imported request details can be displayed after importing. This basically just copies the request file into `reqs/` under the PKI dir.
     505. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. Optionally, the imported request details can be displayed after importing. This basically just copies the request file into `reqs/` under the PKI dir.
    4451{{{
    4552./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
    4653}}}
    4754
    48 5. Optionally review the request details, then sign it as one of the types: server or client. Additional types may be defined on a PKI or site-wide basis (consult advanced docs.)
     556. Review the request details if you wish, then sign it as one of the types: server or client.
    4956  A. (optional) review the request:
    5057{{{
     
    6067}}}
    6168
    62 6. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.
     697. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.
    6370
    6471== DH Generation ==
    6572
    66 On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive.
     73On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive and are used only by an OpenVPN server.
    6774
    6875{{{