Difference between revisions of "Easy-rsa"

From ArchWiki
Jump to: navigation, search
(clarify a little)
(Pass the signed certificates back to the server and client(s): rename to Server)
 
(86 intermediate revisions by 19 users not shown)
Line 1: Line 1:
[[Category:Virtual Private Network]]
+
[[Category:Virtual Private Network]]The first step when setting up [[OpenVPN]] is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].  In summary, this consists of:
 
+
The first step when setting up OpenVPN is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]].  The PKI consists of:
+
 
+
 
* A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key.
 
* A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key.
* A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.
+
* A separate public certificate and private key pair for each server.
 +
* A separate public certificate and private key pair for each client.
  
To facilitate the certificate creation process, OpenVPN comes with a collection of [[Wikipedia:RSA (algorithm)|RSA]] key manangement scripts (based on the openssl command line tool) known as easy-rsa.
+
One can think of the key-based authentication in terms similar to that of how [[SSH keys]] work with the added layer of a signing authority (the CA).  OpenVPN relies on a bidirectional authentication strategy, so the client must authenticate the server's certificate and in parallel, the server must authenticate the client's certificate.  This is accomplished by the 3rd party's signature (the CA) on both the client and server certificates.  Once this is established, further checks are performed before the authentication is complete.  For more details, see [https://www.secure-computing.net/openvpn/howto.php#pki secure-computing's guide].
  
{{Note| Only .key files need to be kept secret, .crt and .csr files can be sent over insecure channels such as plaintext email.}}
+
{{Note|The process outlined below requires users to securely transfer private key files to/from machines. For the purposes of this guide, using scp is shown, but readers may employ alternative methods as well. Since the Arch default is to deny the root user over ssh, using scp requires transferring ownership of the files to be exported to a non-root user called ''foo'' throughout the guide.}}
 +
{{Note|All commands in the guide are expected to be run as the root user unless otherwise indicated in the text. To make code snippets copy/paste friendly to readers, commands are not prefixed.}}
  
In this article the needed certificates are created by root in root's home directory. This ensures that the generated files have the right ownership and permissions, and are safe from other users.
+
== Certificate Authority (CA) ==
 +
For security purposes, it is recommended that the CA machine be separate from the machine running OpenVPN.
  
{{Note|The certificates can be created on any machine.  For the highest security, generate the certificates on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up and never accessible to anyone.}}
+
On the '''CA machine''', install {{pkg|easy-rsa}}, initialize a new PKI and generate a CA keypair that will be used to sign certificates:
 +
cd /etc/easy-rsa
 +
easyrsa init-pki
 +
easyrsa build-ca
  
{{Warning|Make sure that the generated files are backed up, especially the ca.key and ca.crt files, since if lost you will not be able to create any new, nor revoke any comprised certificates, thus requiring the generation of a new [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate, invalidating the entire PKI infrastructure.}}
+
== OpenVPN server files ==
 +
A functional OpenVPN server requires the following:
 +
# The CA's public certificate.
 +
# The server key pair (a public certificate and a private key).
 +
# The Diffie-Hellman (DH) parameters file (needed for TLS mode which is recommended).
 +
# The Hash-based Message Authentication Code (HMAC) key.
  
===Installing the easy-rsa scripts===
+
Upon completing the steps outlined in this article, users will have generated the following corresponding files:
 +
# {{ic|/etc/openvpn/ca.crt}}
 +
# {{ic|/etc/openvpn/server.key}} and {{ic|/etc/openvpn/server.crt}}
 +
# {{ic|/etc/openvpn/dh.pem}}
 +
# {{ic|/etc/openvpn/ta.key}}
  
Install the scripts by doing the following:
+
=== CA public certificate ===
 +
The CA public certificate {{ic|/etc/easy-rsa/pki/ca.crt}} generated in the previous step needs to be copied over to the machine that will be running OpenVPN.
  
{{bc|# cp -r /usr/share/openvpn/easy-rsa /root}}
+
On the '''CA machine''':
 +
cp /etc/easy-rsa/pki/ca.crt /tmp
 +
chown foo /tmp/ca.crt
  
===Creating certificates===
+
$ scp /tmp/ca.crt foo@hostname-of-openvpn-server:/tmp
  
Change to the directory where you installed the scripts.
+
On the '''OpenVPN server machine''':
 +
mv /tmp/ca.crt /etc/openvpn
 +
chown root:root /etc/openvpn/ca.crt
  
{{bc|# cd /root/easy-rsa}}
+
=== Server certificate and private key ===
 +
On the '''OpenVPN server machine''', install {{pkg|easy-rsa}} and generate a key pair for the server:
 +
cd /etc/easy-rsa
 +
easyrsa init-pki
 +
easyrsa gen-req servername nopass
  
To ensure the consistent use of values when generating the  PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.
+
This will create two files:
 +
{{ic|/etc/easy-rsa/pki/reqs/servername.req}}
 +
{{ic|/etc/easy-rsa/pki/private/servername.key}}
  
{{hc|/root/easy-rsa/vars|<nowiki>
+
=== Diffie-Hellman (DH) parameters file ===
# easy-rsa parameter settings
+
On the '''OpenVPN server machine''', create the initial dh.pem file:
 +
openssl dhparam -out /etc/openvpn/dh.pem 2048
  
# NOTE: If you installed from an RPM,
+
{{Note|Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.}}
# do not edit this file in place in
+
# /usr/share/openvpn/easy-rsa --
+
# instead, you should copy the whole
+
# easy-rsa directory to another location
+
# (such as /etc/openvpn) so that your
+
# edits will not be wiped out by a future
+
# OpenVPN package upgrade.
+
  
# This variable should point to
+
=== Hash-based Message Authentication Code (HMAC) key ===
# the top level of the easy-rsa
+
On the '''OpenVPN server machine''', create the HMAC key:
# tree.
+
openvpn --genkey --secret /etc/openvpn/ta.key
export EASY_RSA="`pwd`"
+
  
#
+
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets.  In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:
# This variable should point to
+
* Portscanning.
# the requested executables
+
* DOS attacks on the OpenVPN UDP port.
#
+
* SSL/TLS handshake initiations from unauthorized machines.
export OPENSSL="openssl"
+
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.
export PKCS11TOOL="pkcs11-tool"
+
export GREP="grep"
+
  
# This variable should point to
+
== OpenVPN client files ==
# the openssl.cnf file included
+
=== Client certificate and private key ===
# with easy-rsa.
+
Any machine can generate client files provided that {{pkg|easy-rsa}} is installed.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
  
# Edit this variable to point to
+
If the pki is not initialized, do so via:
# your soon-to-be-created key
+
cd /etc/easy-rsa
# directory.
+
easyrsa init-pki
#
+
# WARNING: clean-all will do
+
# a rm -rf on this directory
+
# so make sure you define
+
# it correctly!
+
export KEY_DIR="$EASY_RSA/keys"
+
  
# Issue rm -rf warning
+
Generate the client key and certificate:
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+
cd /etc/easy-rsa
 +
easyrsa gen-req client1 nopass
  
# PKCS11 fixes
+
This will create two files:
export PKCS11_MODULE_PATH="dummy"
+
{{ic|/etc/easy-rsa/pki/reqs/client1.req}}
export PKCS11_PIN="dummy"
+
{{ic|/etc/easy-rsa/pki/private/client1.key}}
  
# Increase this to 2048 if you
+
The gen-req set can be repeated as many times as needed for additional clients.
# are paranoid.  This will slow
+
# down TLS negotiation performance
+
# as well as the one-time DH parms
+
# generation process.
+
</nowiki>'''export KEY_SIZE&#61;2048'''<nowiki>
+
  
# In how many days should the root CA key expire?
+
== Sign the certificates and pass them back to the server and clients ==
export CA_EXPIRE=3650
+
=== Obtain and sign the certificates on the CA ===
 +
The server and client(s) certificates need to be signed by the CA then transferred back to the OpenVPN server/client(s).
  
# In how many days should certificates expire?
+
On the '''OpenVPN server''' (or the box used to generate the certificate/key pairs):
export KEY_EXPIRE=3650
+
cp /etc/easy-rsa/pki/reqs/*.req /tmp
 +
chown foo /tmp/*.req
  
# These are the default values for fields
+
Securely transfer the files to the CA machine for signing:
# which will be placed in the certificate.
+
$ scp /tmp/*.req foo@hostname-of-CA:/tmp
# Do not leave any of these fields blank.
+
  
</nowiki>
+
On the '''CA machine''', import and sign the certificate requests:
'''export KEY_COUNTRY&#61;"US"'''
+
cd /etc/easy-rsa
'''export KEY_PROVINCE&#61;"CA"'''
+
easyrsa import-req /tmp/servername.req servername
'''export KEY_CITY&#61;"Acme Acres"'''
+
easyrsa import-req /tmp/client1.req client1
'''export KEY_ORG&#61;"Acme"'''
+
easyrsa sign-req server servername
'''export KEY_EMAIL&#61;"roadrunner@acmecorp.org"'''
+
easyrsa sign-req client client1
'''#export KEY_EMAIL&#61;mail@host.domain'''
+
'''export KEY_CN&#61;Acme-CA'''
+
'''export KEY_NAME&#61;Acme-CA'''
+
'''export KEY_OU&#61;""'''<nowiki>
+
export PKCS11_MODULE_PATH=changeme
+
export PKCS11_PIN=1234
+
</nowiki>}}
+
  
Export the environment variables.
+
This will create the following signed certificates which can be transferred back to their respective machines:
 +
{{ic|/etc/easy-rsa/pki/issued/servername.crt}}
 +
{{ic|/etc/easy-rsa/pki/issued/client1.crt}}
  
{{bc|# source ./vars}}
+
The leftover .req files can be safely deleted:
 +
rm -f /tmp/*.req
  
Delete any previously created certificates.
+
=== Pass the signed certificates back to the server and client(s) ===
 +
On the '''CA machine''', copy the signed certificates and transfer them to the server/client(s):
  
{{bc|# ./clean-all}}
+
cp /etc/easy-rsa/pki/issued/*.crt /tmp
 +
chown foo /tmp/*.crt
 +
$ scp /tmp/*.crt foo@hostname-of-openvpn_server:/tmp
  
{{Note| Entering a . (dot) when prompted for a value, blanks out the parameter.}}
+
On the '''OpenVPN server''', move the certificates in place and reassign ownership:
 +
mv /tmp/servername.crt /etc/openvpn
 +
chown root:root /etc/openvpn/servername.crt
  
The build-ca script generates the [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate.
+
The signed client certificate can be stored anywhere since it will be used in the subsequent step of preparing the [[OpenVPN#The_client_profile_.28generic_for_Linux.2C_iOS.2C_or_Android.29|ovpn client profile file]].
  
{{hc|# ./build-ca|<nowiki>
+
mkdir /etc/easy-rsa/pki/signed
Generating a 2048 bit RSA private key
+
mv /tmp/client1.crt /etc/easy-rsa/pki/signed
..............++++++
+
...++++++
+
writing new private key to 'ca.key'
+
-----
+
You are about to be asked to enter information that will be incorporated
+
into your certificate request.
+
What you are about to enter is what is called a Distinguished Name or a DN.
+
There are quite a few fields but you can leave some blank
+
For some fields there will be a default value,
+
If you enter '.', the field will be left blank.
+
-----
+
Country Name (2 letter code) [US]:
+
State or Province Name (full name) [CA]:
+
Locality Name (eg, city) [Acme Acres]:
+
Organization Name (eg, company) [Acme]:
+
Organizational Unit Name (eg, section) []:
+
Common Name (eg, your name or your server's hostname) [Acme-CA]:
+
Name [Acme-CA]:
+
Email Address [roadrunner@acmecorp.org]:
+
</nowiki>}}
+
  
The build-key-server script {{ic|# ./build-key-server <server name>}} generates a server certificate. Make sure that the server name (Common Name when running the script) is unique.
+
== Revoking certificates and alerting the OpenVPN server ==
 +
=== Revoke a certificate ===
 +
Over time, it may become necessary to revoke a certificate thus denying access to the affected user(s).  This example revokes the "client1" certificate.
  
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}
+
On the '''CA machine''':
 +
cd /etc/easy-rsa
 +
easyrsa revoke client1
 +
easyrsa gen-crl
  
{{hc|# ./build-key-server elmer|<nowiki>
+
This will produce the CRL file {{ic|/etc/easy-rsa/pki/crl.pem}} that needs to be transferred to the OpenVPN server and made active there.
Generating a 2048 bit RSA private key
+
.....................++++++
+
.......................................................++++++
+
writing new private key to 'elmer.key'
+
-----
+
You are about to be asked to enter information that will be incorporated
+
into your certificate request.
+
What you are about to enter is what is called a Distinguished Name or a DN.
+
There are quite a few fields but you can leave some blank
+
For some fields there will be a default value,
+
If you enter '.', the field will be left blank.
+
-----
+
Country Name (2 letter code) [US]:
+
State or Province Name (full name) [CA]:
+
Locality Name (eg, city) [Acme Acres]:
+
Organization Name (eg, company) [Acme]:
+
Organizational Unit Name (eg, section) []:
+
Common Name (eg, your name or your server's hostname) [elmer]:
+
Name [Acme-CA]:
+
Email Address [roadrunner@acmecorp.org]:
+
  
Please enter the following 'extra' attributes
+
=== Alert the OpenVPN server ===
to be sent with your certificate request
+
On the '''CA machine''':
A challenge password []:
+
cp /etc/easy-rsa/pki/crl.pem /tmp
An optional company name []:
+
chown foo /tmp/crl.pem
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
+
Check that the request matches the signature
+
Signature ok
+
The Subject's Distinguished Name is as follows
+
countryName          :PRINTABLE:'US'
+
stateOrProvinceName  :PRINTABLE:'CA'
+
localityName          :PRINTABLE:'Acme Acres'
+
organizationName      :PRINTABLE:'Acme'
+
commonName            :PRINTABLE:'elmer'
+
name                  :PRINTABLE:'Acme-CA'
+
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
+
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)
+
Sign the certificate? [y/n]:y
+
  
1 out of 1 certificate requests certified, commit? [y/n]y
+
On the '''OpenVPN machine''', copy {{ic|crl.pem}} and inform the server to read it:
Write out database with 1 new entries
+
mv /tmp/crl.pem /etc/openvpn
Data Base Updated
+
chown root:root /etc/openvpn/crl.pem
</nowiki>}}
+
  
The build-dh script generates the [http://www.rsa.com/rsalabs/node.asp?id=2248 Diffie-Hellman parameters] .pem file needed by the server.
+
Edit {{ic|/etc/openvpn/server.conf}} uncommenting the crl-verify directive, then [[restart]] openvpn@server.service to re-read it:
 
+
{{Note|It would be better to generate a new one for each server, but you can use the same one if you want to.}}
+
{{hc|/etc/openvpn/server.conf|
 
+
{{hc|# ./build-dh|
+
Generating DH parameters, 2048 bit long safe prime, generator 2
+
This is going to take a long time
+
..+.............................................................................
+
 
.
 
.
 +
crl-verify /etc/openvpn/crl.pem
 
.
 
.
.
+
}}
............+...............+...................................................
+
..................................................................++*++*}}
+
 
+
The build-key script {{ic|# ./build-key <client name>}} generates a client certificate. Make sure that the client name (Common Name when running the script) is unique.
+
 
+
{{Note|Do not enter a challenge password or company name when the script prompts you for one.}}
+
 
+
{{hc|# ./build-key bugs|<nowiki>
+
Generating a 2048 bit RSA private key
+
....++++++
+
.............................................................++++++
+
writing new private key to 'bugs.key'
+
-----
+
You are about to be asked to enter information that will be incorporated
+
into your certificate request.
+
What you are about to enter is what is called a Distinguished Name or a DN.
+
There are quite a few fields but you can leave some blank
+
For some fields there will be a default value,
+
If you enter '.', the field will be left blank.
+
-----
+
Country Name (2 letter code) [US]:
+
State or Province Name (full name) [CA]:
+
Locality Name (eg, city) [Acme Acres]:
+
Organization Name (eg, company) [Acme]:
+
Organizational Unit Name (eg, section) []:
+
Common Name (eg, your name or your server's hostname) [bugs]:
+
Name [Acme-CA]:
+
Email Address [roadrunner@acmecorp.org]:
+
 
+
Please enter the following 'extra' attributes
+
to be sent with your certificate request
+
A challenge password []:
+
An optional company name []:
+
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
+
Check that the request matches the signature
+
Signature ok
+
The Subject's Distinguished Name is as follows
+
countryName          :PRINTABLE:'US'
+
stateOrProvinceName  :PRINTABLE:'CA'
+
localityName          :PRINTABLE:'Acme Acres'
+
organizationName      :PRINTABLE:'Acme'
+
commonName            :PRINTABLE:'bugs'
+
name                  :PRINTABLE:'Acme-CA'
+
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
+
Certificate is to be certified until Dec 27 19:18:27 2021 GMT (3650 days)
+
Sign the certificate? [y/n]:y
+
 
+
1 out of 1 certificate requests certified, commit? [y/n]y
+
Write out database with 1 new entries
+
Data Base Updated
+
</nowiki>}}
+
 
+
Generate a secret [[Wikipedia:HMAC|Hash-based Message Authentication Code (HMAC)]] by running:
+
{{ic|# openvpn --genkey --secret /root/easy-rsa/keys/ta.key}}
+
 
+
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets.  In addition any UDP packet not having the correct HMAC signature will be immidiately dropped, protecting against:
+
 
+
* Portscanning.
+
* DOS attacks on the OpenVPN UDP port.
+
* SSL/TLS handshake initiations from unauthorized machines.
+
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.
+
 
+
All the created keys and certificates have been stored in /root/easy-rsa/keys.  If you make a mistake, you can start over by running the clean-all script again.
+
  
{{Warning|This will delete any previously generated certificates stored in /root/easy-rsa/keys, including the [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate.}}
+
== See also ==
 +
===Upstream docs===
 +
* [https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md README.quickstart].
 +
* [https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md EASYRSA-Advanced].

Latest revision as of 10:17, 25 August 2016

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). In summary, this consists of:

  • A public master Certificate Authority (CA) certificate and a private key.
  • A separate public certificate and private key pair for each server.
  • A separate public certificate and private key pair for each client.

One can think of the key-based authentication in terms similar to that of how SSH keys work with the added layer of a signing authority (the CA). OpenVPN relies on a bidirectional authentication strategy, so the client must authenticate the server's certificate and in parallel, the server must authenticate the client's certificate. This is accomplished by the 3rd party's signature (the CA) on both the client and server certificates. Once this is established, further checks are performed before the authentication is complete. For more details, see secure-computing's guide.

Note: The process outlined below requires users to securely transfer private key files to/from machines. For the purposes of this guide, using scp is shown, but readers may employ alternative methods as well. Since the Arch default is to deny the root user over ssh, using scp requires transferring ownership of the files to be exported to a non-root user called foo throughout the guide.
Note: All commands in the guide are expected to be run as the root user unless otherwise indicated in the text. To make code snippets copy/paste friendly to readers, commands are not prefixed.

Certificate Authority (CA)

For security purposes, it is recommended that the CA machine be separate from the machine running OpenVPN.

On the CA machine, install easy-rsa, initialize a new PKI and generate a CA keypair that will be used to sign certificates:

cd /etc/easy-rsa
easyrsa init-pki
easyrsa build-ca

OpenVPN server files

A functional OpenVPN server requires the following:

  1. The CA's public certificate.
  2. The server key pair (a public certificate and a private key).
  3. The Diffie-Hellman (DH) parameters file (needed for TLS mode which is recommended).
  4. The Hash-based Message Authentication Code (HMAC) key.

Upon completing the steps outlined in this article, users will have generated the following corresponding files:

  1. /etc/openvpn/ca.crt
  2. /etc/openvpn/server.key and /etc/openvpn/server.crt
  3. /etc/openvpn/dh.pem
  4. /etc/openvpn/ta.key

CA public certificate

The CA public certificate /etc/easy-rsa/pki/ca.crt generated in the previous step needs to be copied over to the machine that will be running OpenVPN.

On the CA machine:

cp /etc/easy-rsa/pki/ca.crt /tmp
chown foo /tmp/ca.crt
$ scp /tmp/ca.crt foo@hostname-of-openvpn-server:/tmp

On the OpenVPN server machine:

mv /tmp/ca.crt /etc/openvpn
chown root:root /etc/openvpn/ca.crt

Server certificate and private key

On the OpenVPN server machine, install easy-rsa and generate a key pair for the server:

cd /etc/easy-rsa
easyrsa init-pki
easyrsa gen-req servername nopass

This will create two files: /etc/easy-rsa/pki/reqs/servername.req /etc/easy-rsa/pki/private/servername.key

Diffie-Hellman (DH) parameters file

On the OpenVPN server machine, create the initial dh.pem file:

openssl dhparam -out /etc/openvpn/dh.pem 2048
Note: Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.

Hash-based Message Authentication Code (HMAC) key

On the OpenVPN server machine, create the HMAC key:

openvpn --genkey --secret /etc/openvpn/ta.key

This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:

  • Portscanning.
  • DOS attacks on the OpenVPN UDP port.
  • SSL/TLS handshake initiations from unauthorized machines.
  • Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.

OpenVPN client files

Client certificate and private key

Any machine can generate client files provided that easy-rsa is installed.

If the pki is not initialized, do so via:

cd /etc/easy-rsa
easyrsa init-pki

Generate the client key and certificate:

cd /etc/easy-rsa
easyrsa gen-req client1 nopass

This will create two files: /etc/easy-rsa/pki/reqs/client1.req /etc/easy-rsa/pki/private/client1.key

The gen-req set can be repeated as many times as needed for additional clients.

Sign the certificates and pass them back to the server and clients

Obtain and sign the certificates on the CA

The server and client(s) certificates need to be signed by the CA then transferred back to the OpenVPN server/client(s).

On the OpenVPN server (or the box used to generate the certificate/key pairs):

cp /etc/easy-rsa/pki/reqs/*.req /tmp
chown foo /tmp/*.req

Securely transfer the files to the CA machine for signing:

$ scp /tmp/*.req foo@hostname-of-CA:/tmp

On the CA machine, import and sign the certificate requests:

cd /etc/easy-rsa
easyrsa import-req /tmp/servername.req servername
easyrsa import-req /tmp/client1.req client1
easyrsa sign-req server servername
easyrsa sign-req client client1

This will create the following signed certificates which can be transferred back to their respective machines: /etc/easy-rsa/pki/issued/servername.crt /etc/easy-rsa/pki/issued/client1.crt

The leftover .req files can be safely deleted:

rm -f /tmp/*.req

Pass the signed certificates back to the server and client(s)

On the CA machine, copy the signed certificates and transfer them to the server/client(s):

cp /etc/easy-rsa/pki/issued/*.crt /tmp
chown foo /tmp/*.crt
$ scp /tmp/*.crt foo@hostname-of-openvpn_server:/tmp

On the OpenVPN server, move the certificates in place and reassign ownership:

mv /tmp/servername.crt /etc/openvpn
chown root:root /etc/openvpn/servername.crt

The signed client certificate can be stored anywhere since it will be used in the subsequent step of preparing the ovpn client profile file.

mkdir /etc/easy-rsa/pki/signed
mv /tmp/client1.crt /etc/easy-rsa/pki/signed

Revoking certificates and alerting the OpenVPN server

Revoke a certificate

Over time, it may become necessary to revoke a certificate thus denying access to the affected user(s). This example revokes the "client1" certificate.

On the CA machine:

cd /etc/easy-rsa
easyrsa revoke client1
easyrsa gen-crl

This will produce the CRL file /etc/easy-rsa/pki/crl.pem that needs to be transferred to the OpenVPN server and made active there.

Alert the OpenVPN server

On the CA machine:

cp /etc/easy-rsa/pki/crl.pem /tmp
chown foo /tmp/crl.pem

On the OpenVPN machine, copy crl.pem and inform the server to read it:

mv /tmp/crl.pem /etc/openvpn
chown root:root /etc/openvpn/crl.pem

Edit /etc/openvpn/server.conf uncommenting the crl-verify directive, then restart openvpn@server.service to re-read it:

/etc/openvpn/server.conf
.
crl-verify /etc/openvpn/crl.pem
.

See also

Upstream docs