| | 84 | |
| | 85 | == PKI procedure: Producing your complete PKI on the CA machine == |
| | 86 | |
| | 87 | It is most common for beginners to produce a complete PKI on one machine and then distribute the files as needed. If you have followed the steps above and already have a partial PKI then make sure you do not over write it. The simplest approach is to make a complete copy of Easyrsa3 in a new folder. |
| | 88 | |
| | 89 | Starting with a fresh copy of Easyrsa3 follow these steps: |
| | 90 | |
| | 91 | Copy the file `vars.example` to file named `vars` and open `vars` for editing. |
| | 92 | Read through `vars` for instructions on what to edit. |
| | 93 | For example, you can chose if your PKI will use RSA or Elliptic Curve cryptography. |
| | 94 | Save your changes and close `vars`. |
| | 95 | |
| | 96 | Initialise your PKI: |
| | 97 | {{{ |
| | 98 | ./easyrsa init-pki |
| | 99 | }}} |
| | 100 | Create your CA: |
| | 101 | {{{ |
| | 102 | ./easyrsa build-ca |
| | 103 | }}} |
| | 104 | Option `nopass` can be used to disable password locking the CA. |
| | 105 | |
| | 106 | Build a server certificate and key: |
| | 107 | {{{ |
| | 108 | ./easyrsa build-server-full <SERVER_NAME> |
| | 109 | }}} |
| | 110 | Replace `<SERVER_NAME>` with your server name. eg. `Server-01` [[br]] |
| | 111 | Option `nopass` can be used to disable password locking the key. [[br]] |
| | 112 | |
| | 113 | Build a client certificate and key: |
| | 114 | {{{ |
| | 115 | ./easyrsa build-client-full <CLIENT_NAME> |
| | 116 | }}} |
| | 117 | Replace `<CLIENT_NAME>` with your client name. eg. `Client-01` or `alice` [[br]] |
| | 118 | Option `nopass` can be used to disable password locking the key. [[br]] |
| | 119 | Repeat for all clients. [[br]] |
| | 120 | |
| | 121 | Using this method, server and client keys must be distributed over a secure medium, such as using SFTP. |
| | 122 | |
| | 123 | Finally, you can use [https://github.com/TinCanTech/easy-tls Easy-TLS] to add the finishing touches to your PKI. |
| | 124 | |
| | 125 | |
| | 126 | Download `easytls` to your current EasyRSA-3 working directory and follow these steps: |
| | 127 | |
| | 128 | Initialise Easy-TLS: |
| | 129 | {{{ |
| | 130 | ./easytls init-tls |
| | 131 | }}} |
| | 132 | This creates a directory called `easytls` in your current PKI directory (Default: `pki/easytls`) |
| | 133 | |
| | 134 | Create a TLS-AUTH key: |
| | 135 | {{{ |
| | 136 | ./easytls build-tls-auth |
| | 137 | }}} |
| | 138 | |
| | 139 | Create a TLS-CRYPT key: |
| | 140 | {{{ |
| | 141 | ./easytls build-tls-crypt |
| | 142 | }}} |
| | 143 | |
| | 144 | Create a TLS-CRYPT-V2 server key: |
| | 145 | {{{ |
| | 146 | ./easytls build-tls-crypt-v2-server <SERVER_NAME> |
| | 147 | }}} |
| | 148 | This key **must** be kept secure. |
| | 149 | Create a TLS-CRYPT-V2 client key: |
| | 150 | {{{ |
| | 151 | ./easytls build-tls-crypt-v2-client <SERVER_NAME> <CLIENT_NAME> |
| | 152 | }}} |
| | 153 | The Server key is used to encrypt the client key which is why the server key must also be specified. |
| | 154 | |
| | 155 | Now Easy-TLS can create `.inline` files for each of your VPN nodes. |
| | 156 | |
| | 157 | Depending on which type of TLS key you are using (TLS auth, crypt or crypt-v2) build an inline file: |
| | 158 | {{{ |
| | 159 | ./easytls inline-tls-auth Server-01 |
| | 160 | }}} |
| | 161 | Repeat for all your VPN nodes. [[br]] |
| | 162 | |
| | 163 | If you used the first method to build your PKI and do not have access to the keys of each of your nodes then you can still use Easy-TLS to build `.inline` files by using the option `nokey`. This will build `.inline` files which leave the inline `<key></key>` field blank so that the key can be pasted in by the respective user. |
