Changes between Version 15 and Version 16 of EasyRSA3-OpenVPN-Howto


Ignore:
Timestamp:
10/28/20 15:11:18 (4 months ago)
Author:
tincantech
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • EasyRSA3-OpenVPN-Howto

    v15 v16  
    8282./easyrsa gen-dh
    8383}}}
     84
     85== PKI procedure: Producing your complete PKI on the CA machine ==
     86
     87It is most common for beginners to produce a complete PKI on one machine and then distribute the files as needed.  If you have followed the steps above and already have a partial PKI then make sure you do not over write it.  The simplest approach is to make a complete copy of Easyrsa3 in a new folder.
     88
     89Starting with a fresh copy of Easyrsa3 follow these steps:
     90
     91Copy the file `vars.example` to file named `vars` and open `vars` for editing.
     92Read through `vars` for instructions on what to edit.
     93For example, you can chose if your PKI will use RSA or Elliptic Curve cryptography.
     94Save your changes and close `vars`.
     95
     96Initialise your PKI:
     97{{{
     98./easyrsa init-pki
     99}}}
     100Create your CA:
     101{{{
     102./easyrsa build-ca
     103}}}
     104  Option `nopass` can be used to disable password locking the CA.
     105
     106Build a server certificate and key:
     107{{{
     108./easyrsa build-server-full <SERVER_NAME>
     109}}}
     110  Replace `<SERVER_NAME>` with your server name.  eg. `Server-01` [[br]]
     111  Option `nopass` can be used to disable password locking the key. [[br]]
     112
     113Build a client certificate and key:
     114{{{
     115./easyrsa build-client-full <CLIENT_NAME>
     116}}}
     117  Replace `<CLIENT_NAME>` with your client name.  eg. `Client-01` or `alice` [[br]]
     118  Option `nopass` can be used to disable password locking the key. [[br]]
     119  Repeat for all clients. [[br]]
     120
     121Using this method, server and client keys must be distributed over a secure medium, such as using SFTP.
     122
     123Finally, you can use [https://github.com/TinCanTech/easy-tls Easy-TLS] to add the finishing touches to your PKI.
     124
     125
     126Download `easytls` to your current EasyRSA-3 working directory and follow these steps:
     127
     128Initialise Easy-TLS:
     129{{{
     130./easytls init-tls
     131}}}
     132  This creates a directory called `easytls` in your current PKI directory (Default: `pki/easytls`)
     133
     134Create a TLS-AUTH key:
     135{{{
     136./easytls build-tls-auth
     137}}}
     138
     139Create a TLS-CRYPT key:
     140{{{
     141./easytls build-tls-crypt
     142}}}
     143
     144Create a TLS-CRYPT-V2 server key:
     145{{{
     146./easytls build-tls-crypt-v2-server <SERVER_NAME>
     147}}}
     148  This key **must** be kept secure.
     149Create a TLS-CRYPT-V2 client key:
     150{{{
     151./easytls build-tls-crypt-v2-client <SERVER_NAME> <CLIENT_NAME>
     152}}}
     153  The Server key is used to encrypt the client key which is why the server key must also be specified.
     154
     155Now Easy-TLS can create `.inline` files for each of your VPN nodes.
     156
     157Depending on which type of TLS key you are using (TLS auth, crypt or crypt-v2) build an inline file:
     158{{{
     159./easytls inline-tls-auth Server-01
     160}}}
     161  Repeat for all your VPN nodes. [[br]]
     162
     163If you used the first method to build your PKI and do not have access to the keys of each of your nodes then you can still use Easy-TLS to build `.inline` files by using the option `nokey`.  This will build `.inline` files which leave the inline `<key></key>` field blank so that the key can be pasted in by the respective user.