To create a new set of keys for OpenVPN using Easy-RSA, we firstly need to clean our environment and get ready for the build.
$ ./easyrsa init-pki |
Now we need to build the certificate authority.
$ ./easyrsa build-ca nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...........+++ .............................................+++ writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:WOPR CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/ca.crt |
Now build the DH (Diffie-Helllman) parameters.
$ ./easyrsa gen-dh |
And we can build the server keys.
$ ./easyrsa build-server-full john-server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ..........................+++ ...........................+++ writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-server.key' ----- Using configuration from /home/ubuntu/EasyRSA-3.0.0-rc2/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'john-server' Certificate is to be certified until May 22 01:26:02 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated |
And I build one client key for myself.
$ ./easyrsa build-client-full john-client nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ..............................+++ ..................................+++ writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-client.key' ----- Using configuration from /home/ubuntu/EasyRSA-3.0.0-rc2/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'john-client' Certificate is to be certified until May 22 01:28:13 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated |
I am generating a certificate request here.
$ ./easyrsa gen-req john-req nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .....+++ ........................................................+++ writing new private key to '/home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-req.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [john-req]:John1 Keypair and certificate request completed. Your files are: req: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/reqs/john-req.req key: /home/ubuntu/EasyRSA-3.0.0-rc2/pki/private/john-req.key |
Now I need to add a passkey to the server key.
$ ./easyrsa set-rsa-pass john-server Note: using Easy-RSA configuration from: ./vars If the key is currently encrypted you must supply the decryption passphrase. You will then enter a new PEM passphrase for this key. writing RSA key Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Key passphrase successfully changed |
This configuration will create a good working OpenVPN configuration that will allow secure communication between a client and a server machine. This is necessary for securely administering a remote server with an encrypted tunnel.
Thanks! This tutorial helped me a lot ;-)