wiki:EasyRSA3-OpenVPN-Howto

Version 7 (modified by JoshC, 10 years ago) (diff)

clarify separate locations better

Easyrsa3 OpenVPN Howto

This page is quite limited now; expansion is needed.

Process Overview

The best way to create a PKI for OpenVPN is to separate your CA duty from each server & client. The CA should ideally be on a secure environment (whatever that means to you.) Loss/theft of the CA key destroys the security of the entire PKI.

Separate CA system procedure

Pick locations for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate your client & server requests/keys on each system for best security.

You will end up with the following locations used in the steps below:

CA
your secured CA environment
entity
each client and server has their own, separate environment; this will usually include at least 2 locations, one for the server and another for your client (on their respective machines.)
  1. On the CA, start a new PKI and build a CA keypair/cert:
    ./easyrsa init-pki
    ./easyrsa build-ca
    
  1. On each entity, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request as follows:
    ./easyrsa init-pki
    ./easyrsa gen-req UNIQUE_NAME_HERE
    
    1. Optionally, the private key can be left unencrypted on-disk with the additional nopass option after the name. This is not recommended unless automated VPN startup is required; you may want this for your server keys, so keep this in mind. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.
  1. Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.
  1. On the CA, import each entity request file, giving it an arbitrary "short name" as follows. Optionally, the imported request details can be displayed after importing. This basically just copies the request file into reqs/ under the PKI dir.
    ./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
    
  1. Optionally review the request details, then sign it as one of the types: server or client. Additional types may be defined on a PKI or site-wide basis (consult advanced docs.)
    1. (optional) review the request:
      ./easyrsa show-req UNIQUE_SHORT_FILE_NAME
      
    2. Sign as a client:
      ./easyrsa sign client UNIQUE_SHORT_FILE_NAME
      
    3. Sign as a server:
      ./easyrsa sign server UNIQUE_SHORT_FILE_NAME
      
  1. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.