Changes between Version 15 and Version 16 of EasyRSA3-OpenVPN-Howto

10/28/20 15:11:18 (4 months ago)



  • EasyRSA3-OpenVPN-Howto

    v15 v16  
    8282./easyrsa gen-dh
     85== PKI procedure: Producing your complete PKI on the CA machine ==
     87It is most common for beginners to produce a complete PKI on one machine and then distribute the files as needed.  If you have followed the steps above and already have a partial PKI then make sure you do not over write it.  The simplest approach is to make a complete copy of Easyrsa3 in a new folder.
     89Starting with a fresh copy of Easyrsa3 follow these steps:
     91Copy the file `vars.example` to file named `vars` and open `vars` for editing.
     92Read through `vars` for instructions on what to edit.
     93For example, you can chose if your PKI will use RSA or Elliptic Curve cryptography.
     94Save your changes and close `vars`.
     96Initialise your PKI:
     98./easyrsa init-pki
     100Create your CA:
     102./easyrsa build-ca
     104  Option `nopass` can be used to disable password locking the CA.
     106Build a server certificate and key:
     108./easyrsa build-server-full <SERVER_NAME>
     110  Replace `<SERVER_NAME>` with your server name.  eg. `Server-01` [[br]]
     111  Option `nopass` can be used to disable password locking the key. [[br]]
     113Build a client certificate and key:
     115./easyrsa build-client-full <CLIENT_NAME>
     117  Replace `<CLIENT_NAME>` with your client name.  eg. `Client-01` or `alice` [[br]]
     118  Option `nopass` can be used to disable password locking the key. [[br]]
     119  Repeat for all clients. [[br]]
     121Using this method, server and client keys must be distributed over a secure medium, such as using SFTP.
     123Finally, you can use [ Easy-TLS] to add the finishing touches to your PKI.
     126Download `easytls` to your current EasyRSA-3 working directory and follow these steps:
     128Initialise Easy-TLS:
     130./easytls init-tls
     132  This creates a directory called `easytls` in your current PKI directory (Default: `pki/easytls`)
     134Create a TLS-AUTH key:
     136./easytls build-tls-auth
     139Create a TLS-CRYPT key:
     141./easytls build-tls-crypt
     144Create a TLS-CRYPT-V2 server key:
     146./easytls build-tls-crypt-v2-server <SERVER_NAME>
     148  This key **must** be kept secure.
     149Create a TLS-CRYPT-V2 client key:
     151./easytls build-tls-crypt-v2-client <SERVER_NAME> <CLIENT_NAME>
     153  The Server key is used to encrypt the client key which is why the server key must also be specified.
     155Now Easy-TLS can create `.inline` files for each of your VPN nodes.
     157Depending on which type of TLS key you are using (TLS auth, crypt or crypt-v2) build an inline file:
     159./easytls inline-tls-auth Server-01
     161  Repeat for all your VPN nodes. [[br]]
     163If you used the first method to build your PKI and do not have access to the keys of each of your nodes then you can still use Easy-TLS to build `.inline` files by using the option `nokey`.  This will build `.inline` files which leave the inline `<key></key>` field blank so that the key can be pasted in by the respective user.