A certificate authority (CA) is who issues the digital certificates. We need this for installation of some software, such as OpenVPN. For doing that, we have to download the latest version of EasyRSA. EasyRSA is the CLI utility to build and manage a PKI CA. A CA acts as a trusted 3rd party. The format of these certificates is specified by the X.509 standard.
A certificate signed by a Certificate Authority (CA) which is trusted, like by the browser is displayed as trusted (that usually a padlock icon). A browser only trusts a CA when the CA’s public root certificate is installed in the browser and/or the computer in use. That makes the actual usage limited within own network. Browsers come with pre-installed CA certificates such as from Geotrust, Comodo, Symantec. The reason to use EasyRSA like scripted way is to make the steps easy. OpenSSL command line for setting up own CA infrastructure for a person unused with X.509 certificate chain of trust can make dizzy. We need to build the CA on a single server for this purpose. This prevents an attacker to access the CA private key to sign new certificates. We can keep the CA server turned off when not required to be in use.
This is EasyRSA’s official GitHub repo :
We can wget it and un-tar it :
# version 3.0.6 is latest at the time of writing this guide
ls | grep "tgz"
tar -xzvf EasyRSA-unix-v3.0.6.tgz
cp vars.example vars
# initialized to create pki directory and various sub-directories
./easyrsa init-pki force
You’ll get output like this :
Your newly created PKI dir is: /home/user-name/EasyRSA-v3.0.6/pki
Now we need to edit that vars file :
# vi vars
Your edit should make the file looking like this :
. . .
set_var EASYRSA_REQ_COUNTRY "IN"
set_var EASYRSA_REQ_PROVINCE "WestBengal"
set_var EASYRSA_REQ_CITY "Kolkata"
set_var EASYRSA_REQ_ORG "The Customize Windows Consultancy"
set_var EASYRSA_REQ_EMAIL "email@example.com"
set_var EASYRSA_REQ_OU "Blog Department"
Again, we need to call the easyrsa script for the build-ca option which will build the CA and create two required files
ca.key. We do not need password hence we will run :
./easyrsa build-ca nopass
To generate CA certificate use something similar to:
echo "ca.thecustomizewindows.com" > input.txt
./easyrsa build-ca nopass < input.txt
There are various methods for generating server or client certificates. Such as, on CA server we can use the
build-client full script.
Another way is to copy the easy-rsa scripts on target server and generating certificate request. This request will be imported in next step and signed on CA server. Then the signed certificate will be transferred back to the server which generated the request. To build full-client-certifcate without requiring client to generate certificate request and send it to CA server use something like:
./easyrsa build-client-full firstname.lastname@example.org nopass
Your PKI dir was at
/home/user-name/EasyRSA-v3.0.6/pki. The above commond will create
..pki/issued/vpn.thecustomizewindows.com.crt. To export CA certificate in PKCS#12 format use:
./easyrsa export-p12 email@example.com
Update the status of the certificates in index file:
To generate DH parameters use: