Easy-RSA: Difference between revisions

Revision as of 14:29, 9 August 2016

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). The PKI consists of:

A public master Certificate Authority (CA) certificate and a private key.
A separate public certificate and private key pair for each server and each client.

To facilitate the certificate creation process, easy-rsa provides a RSA key management script.

Note: The certificates can be created on any machine. For the highest security, generate the certificates on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up kept secret from users.

OpenVPN Server and Client Configuration

Note: All commands below are expected to be run as the root user. To make them more copy/paste friendly for readers, they are not prefixed.

Create the CA

After installing easy-rsa, initialize a new PKI and generate a CA:

cd /etc/easy-rsa
easyrsa init-pki
easyrsa build-ca

Create the DH

Created the initial dh.pem file:

cd /etc/easy-rsa
openssl dhparam -out /etc/easy-rsa/pki/dh.pem 2048

Note: Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.

Create and and sign an entity keypair

The term "entity" in this context can be a unique name given to a specific user (in the case of client key pairs) or to a particular server.

Generate and sign a key pair:

cd /etc/easy-rsa
easyrsa gen-req entity nopass

Sign the server cert and key with the CA.

Note: Server keys need to be signed with "server" type whereas clients need to be signed with the "client" type. Make the appropriate substitution for the word "TYPE" in the following command.

cd /etc/easy-rsa
easyrsa sign-req TYPE entity

Generate a secret Hash-based Message Authentication Code (HMAC) key

cd /etc/easy-rsa
openvpn --genkey --secret /etc/easy-rsa/pki/ta.key

This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:

Portscanning.
DOS attacks on the OpenVPN UDP port.
SSL/TLS handshake initiations from unauthorized machines.
Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.

@@ Line 1: / Line 1: @@
 [[Category:Virtual Private Network]]
-The first step when setting up [[OpenVPN]] is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].  In summary, this consists of:
+The first step when setting up [[OpenVPN]] is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].  The PKI consists of:
 * A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key.
-* A separate public certificate and private key pair for each server.
+* A separate public certificate and private key pair for each server and each client.
-* A separate public certificate and private key pair for each client.
+To facilitate the certificate creation process, {{Pkg|easy-rsa}} provides a [[Wikipedia:RSA (algorithm)|RSA]] key management script.
-One can think of the key-based authentication in terms similar to that of how [SSH_keys] work with the added layer of a signing authority (the CA).  OpenVPN relies on a bidirectional authentication strategy, so the client must authenticate the server's certificate and in parallel, the server must authenticate the client's certificate.  This is accomplished by the 3rd party's signature (the CA) on both the client and server certificates.  Once this is established, further checks are performed before the authentication is complete.  For more details, see [https://www.secure-computing.net/openvpn/howto.php#pki secure-computing's guide].
+{{Note|The certificates can be created on any machine.  For the highest security, generate the certificates on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up kept secret from users.}}
+== OpenVPN Server and Client Configuration ==
 {{Note|All commands below are expected to be run as the root user. To make them more copy/paste friendly for readers, they are not prefixed.}}
-== Certificate Authority (CA) ==
+===Create the CA===
-{{Note|For security purposes, it is recommended that the CA machine be separate from the machine running OpenVPN.}}
+After installing {{pkg|easy-rsa}}, initialize a new PKI and generate a CA:
-After installing {{pkg|easy-rsa}} on the CA machine, initialize a new PKI and generate a CA keypair that will be used to sign certificates:
   cd /etc/easy-rsa
   easyrsa init-pki
   easyrsa build-ca
-== OpenVPN server files ==
+===Create the DH===
-The server will require 3 sets of files:
+Created the initial dh.pem file:
-# The server key pair (a public certificate and a private key).
-# The Diffie-Hellman (DH) parameters file (needed for TLS mode which is recommended).
-# The Hash-based Message Authentication Code (HMAC) key.
-=== Server certificate and private key ===
-On the machine that will be running OpenVPN, install {{pkg|easy-rsa}} and generate a key pair for the server:
   cd /etc/easy-rsa
-  easyrsa init-pki
+  openssl dhparam -out /etc/easy-rsa/pki/dh.pem 2048
- easyrsa gen-req servername nopass
+{{Note|Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.}}
-This will end up with two files on the OpenVPN server:
+===Create and and sign an entity keypair===
-{{ic|/etc/easy-rsa/pki/reqs/servername.req}}
+The term "entity" in this context can be a unique name given to a specific user (in the case of client key pairs) or to a particular server.
-{{ic|/etc/easy-rsa/pki/private/servername.key}}
-=== Diffie-Hellman (DH) parameters file ===
+Generate and sign a key pair:
-Create the initial dh.pem file:
+  cd /etc/easy-rsa
-  openssl dhparam -out /etc/openvpn/dh.pem 2048
+ easyrsa gen-req ''entity'' nopass
-{{Note|Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.}}
+Sign the server cert and key with the CA.
+{{Note|Server keys need to be signed with "server" type whereas clients need to be signed with the "client" type. Make the appropriate substitution for the word "TYPE" in the following command.}}
+ cd /etc/easy-rsa
+ easyrsa sign-req TYPE ''entity''
-=== Hash-based Message Authentication Code (HMAC) key ===
+=== Generate a secret Hash-based Message Authentication Code (HMAC) key ===
-Create the HMAC key:
+ cd /etc/easy-rsa
-  openvpn --genkey --secret /etc/openvpn/ta.key
+  openvpn --genkey --secret /etc/easy-rsa/pki/ta.key
 This will be used to add an additional HMAC signature to all SSL/TLS handshake packets.  In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:
@@ Line 48: / Line 47: @@
 * Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.
-== OpenVPN client files ==
-=== Client certificate and private key ===
-Any machine can generate client files.  The machien will need the {{pkg|easy-rsa}} to be installed.
-Initialize the pki if not generating the client keypair on the OpenVPN server:
- cd /etc/easy-rsa
- easyrsa init-pki
-Generate the client key and certificate:
- cd /etc/easy-rsa
- easyrsa gen-req client1 nopass
-This will end up with two files on the OpenVPN server:
-{{ic|/etc/easy-rsa/pki/reqs/client1.req}}
-{{ic|/etc/easy-rsa/pki/private/client1.key}}
-The gen-req set can be repeat as many times as needed for additional clients.
-== Sign the certificates on the CA ==
-The server and client(s) certificates need to be signed by the CA.  Since these files were generated on the OpenVPN server machine, the requests need to be transferred to the CA via a secure means (emailing as attachments is not recommended).  For the purposes of this guide, scp is shown.  The readers may employ alternative methods as well.  Since the Arch default is to deny root user over ssh, this will require transferring ownership of the files to be exported to a non-root user (in the case of the code snippet below, this is the ''foo'' user).
-On the OpenVPN server (or the box used to generate the certificate/key pairs:
- cp /etc/easy-rsa/pki/reqs/*.req /tmp
- chown foo /tmp/*.req
-Now ''foo'' can securly transfer (via scp) these requests to the CA for signing:
- scp /tmp/*.req foo@hostname-of-CA:/tmp
- cd /etc/easy-rsa
- easyrsa sign-req server UNIQUE-SERVER-NAME
-On the CA machine, import and sign the certificate requests:
- cd /etc/easy-rsa
- easyrsa import-req /tmp/servername.req servername
- easyrsa import-req /tmp/client1.req client1
- easyrsa sign-req server servername
- easyrsa sign-req client client1
-This will create the following signed certificates which can be transferred back to their respective machines:
-{{ic|/etc/easy-rsa/pki/issued/servername.crt}}
-{{ic|/etc/easy-rsa/pki/issued/client1.crt}}
- cp /etc/easy-rsa/pki/issued/*.crt /tmp
- chown foo /tmp/*.crt
- scp /tmp/*.crt foo@hostname-of-openvpn_server:/tmp
-<<placeholder for final step>>
 == See also ==
 Upstream docs
 * [https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md README.quickstart].
 * [https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md EASYRSA-Advanced].