Create a Public Key Infrastructure Using the easy-rsa Scripts

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). The PKI consists of:

  • A public master Certificate Authority (CA) certificate and a private key.
  • A separate public certificate and private key pair (hereafter referred to as a certificate) for each server and each client.

To facilitate the certificate creation process, OpenVPN comes with a collection of RSA key manangement scripts (based on the openssl command line tool) known as easy-rsa.

Note: Only .key files need to be kept secret, .crt and .csr files can be sent over insecure channels such as plaintext email.

In this article the needed certificates are created by root in root’s home directory. This ensures that the generated files have the right ownership and permissions, and are safe from other users.

Note: The certificates can be created on any machine. For the highest security, generate the certificates on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up and never accessible to anyone.
Warning: Make sure that the generated files are backed up, especially the ca.key and ca.crt files, since if lost you will not be able to create any new, nor revoke any compromised certificates, thus requiring the generation of a new Certificate Authority (CA) certificate, invalidating the entire PKI infrastructure.

Installing the easy-rsa scripts

Install the scripts by doing the following:

Creating certificates

Change to the directory where you installed the scripts.

To ensure the consistent use of values when generating the PKI, set default values to be used by the PKI generating scripts. Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank). Change the KEY_SIZE parameter to 2048 for the SSL/TLS to use 2048bit RSA keys for authentication.

Export the environment variables.

Delete any previously created certificates.

Note: Entering a . (dot) when prompted for a value, blanks out the parameter.

The build-ca script generates the Certificate Authority (CA) certificate.

The build-key-server script # ./build-key-server <server name> generates a server certificate. Make sure that the server name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.

The build-dh script generates the Diffie-Hellman parameters .pem file needed by the server.

Note: It would be better to generate a new one for each server, but you can use the same one if you want to.

The build-key script # ./build-key <client name> generates a client certificate. Make sure that the client name (Common Name when running the script) is unique.

Note: Do not enter a challenge password or company name when the script prompts you for one.

Generate a secret Hash-based Message Authentication Code (HMAC) by running: # openvpn --genkey --secret /root/easy-rsa/keys/ta.key

This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:

  • Portscanning.
  • DOS attacks on the OpenVPN UDP port.
  • SSL/TLS handshake initiations from unauthorized machines.
  • Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.

All the created keys and certificates have been stored in /root/easy-rsa/keys. If you make a mistake, you can start over by running the clean-all script again.

Warning: This will delete any previously generated certificates stored in /root/easy-rsa/keys, including the Certificate Authority (CA) certificate.

Converting certificates to encrypted .p12 format

Some software (such as Android) will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:

Checking Using OpenSSL

If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

  • Check a Certificate Signing Request (CSR)
  • Check a private key
  • Check a certificate
  • Check a PKCS#12 file (.pfx or .p12)

Leave a Reply

Your email address will not be published. Required fields are marked *