| 84 | |
| 85 | == PKI procedure: Producing your complete PKI on the CA machine == |
| 86 | |
| 87 | It is most common for beginners to produce a complete PKI on one machine and then distribute the files as needed. If you have followed the steps above and already have a partial PKI then make sure you do not over write it. The simplest approach is to make a complete copy of Easyrsa3 in a new folder. |
| 88 | |
| 89 | Starting with a fresh copy of Easyrsa3 follow these steps: |
| 90 | |
| 91 | Copy the file `vars.example` to file named `vars` and open `vars` for editing. |
| 92 | Read through `vars` for instructions on what to edit. |
| 93 | For example, you can chose if your PKI will use RSA or Elliptic Curve cryptography. |
| 94 | Save your changes and close `vars`. |
| 95 | |
| 96 | Initialise your PKI: |
| 97 | {{{ |
| 98 | ./easyrsa init-pki |
| 99 | }}} |
| 100 | Create your CA: |
| 101 | {{{ |
| 102 | ./easyrsa build-ca |
| 103 | }}} |
| 104 | Option `nopass` can be used to disable password locking the CA. |
| 105 | |
| 106 | Build a server certificate and key: |
| 107 | {{{ |
| 108 | ./easyrsa build-server-full <SERVER_NAME> |
| 109 | }}} |
| 110 | Replace `<SERVER_NAME>` with your server name. eg. `Server-01` [[br]] |
| 111 | Option `nopass` can be used to disable password locking the key. [[br]] |
| 112 | |
| 113 | Build a client certificate and key: |
| 114 | {{{ |
| 115 | ./easyrsa build-client-full <CLIENT_NAME> |
| 116 | }}} |
| 117 | Replace `<CLIENT_NAME>` with your client name. eg. `Client-01` or `alice` [[br]] |
| 118 | Option `nopass` can be used to disable password locking the key. [[br]] |
| 119 | Repeat for all clients. [[br]] |
| 120 | |
| 121 | Using this method, server and client keys must be distributed over a secure medium, such as using SFTP. |
| 122 | |
| 123 | Finally, you can use [https://github.com/TinCanTech/easy-tls Easy-TLS] to add the finishing touches to your PKI. |
| 124 | |
| 125 | |
| 126 | Download `easytls` to your current EasyRSA-3 working directory and follow these steps: |
| 127 | |
| 128 | Initialise Easy-TLS: |
| 129 | {{{ |
| 130 | ./easytls init-tls |
| 131 | }}} |
| 132 | This creates a directory called `easytls` in your current PKI directory (Default: `pki/easytls`) |
| 133 | |
| 134 | Create a TLS-AUTH key: |
| 135 | {{{ |
| 136 | ./easytls build-tls-auth |
| 137 | }}} |
| 138 | |
| 139 | Create a TLS-CRYPT key: |
| 140 | {{{ |
| 141 | ./easytls build-tls-crypt |
| 142 | }}} |
| 143 | |
| 144 | Create a TLS-CRYPT-V2 server key: |
| 145 | {{{ |
| 146 | ./easytls build-tls-crypt-v2-server <SERVER_NAME> |
| 147 | }}} |
| 148 | This key **must** be kept secure. |
| 149 | Create a TLS-CRYPT-V2 client key: |
| 150 | {{{ |
| 151 | ./easytls build-tls-crypt-v2-client <SERVER_NAME> <CLIENT_NAME> |
| 152 | }}} |
| 153 | The Server key is used to encrypt the client key which is why the server key must also be specified. |
| 154 | |
| 155 | Now Easy-TLS can create `.inline` files for each of your VPN nodes. |
| 156 | |
| 157 | Depending on which type of TLS key you are using (TLS auth, crypt or crypt-v2) build an inline file: |
| 158 | {{{ |
| 159 | ./easytls inline-tls-auth Server-01 |
| 160 | }}} |
| 161 | Repeat for all your VPN nodes. [[br]] |
| 162 | |
| 163 | If you used the first method to build your PKI and do not have access to the keys of each of your nodes then you can still use Easy-TLS to build `.inline` files by using the option `nokey`. This will build `.inline` files which leave the inline `<key></key>` field blank so that the key can be pasted in by the respective user. |