easy-rsa

最後更新: 2021-02-09

目錄

介紹

easy-rsa 是 openssl 的 terminal 的 font-end 來, 它一共有三個版本,

分別是 1.0, 2.0 及 3.0

2.0 與 1.0 有所不同的地方是 2.0 是建基於 ./pkitool

 


easy-rsa v2

 

0. 安裝

Centos:

yum install easy-rsa      # C6 = V2, C7 = V3

U 18:

apt-get install easy-rsa

Common

cp -a /usr/share/easy-rsa /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

1. 修改 vars

# 所以要 cd 去安裝目錄
export EASY_RSA="`pwd`"

# 
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# CA 的 Setting
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650

# 
export KEY_COUNTRY="CN"
export KEY_PROVINCE="HONG KONG"
export KEY_CITY="HONG KONG"
export KEY_ORG="Home"
export KEY_EMAIL="[email protected]"
export KEY_OU=IT

# X509 Subject Field - "Name"
export KEY_NAME=EasyRSA

張 Certificate 有以下資料:

Issuer: C=CN, ST=HK, L=Hong Kong, O=IT, OU=IT, CN=?/name=?/[email protected]
  • O           KEY_ORG
  • name     KEY_NAME

2. 引入 vars:

. vars

3. 清除一切

./clean-all         <--- 注意!! 它會刪除所有 Keys !! (要 source vars 才有效) [ rm -rf on $KEY_DIR ]

# 會建立 keys/index.txt 及 keys/serial

4. 建立基本 CA:

./build-dh          <--- Size 由 KEY_SIZE 控制, 2048 也要 5 分鐘, 會建立 keys/dh2048.pem

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...

ln -s openssl-1.0.0.cnf openssl.cnf

./build-ca        # 會建立 keys/ca.crt 及 keys/ca.key

5. 建立 Server 的 Cert 及 Key:

./build-key-server VPN-Server         # Common Name = VPN-Server

...
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# 建立了 VPN-Server.key, VPN-Server.csr, VPN-Server.crt, 01.pem

# serial 會由 00->01 (1++), 內容係下個 pem 的 S/N. index.txt 會有 01 Cert 的 info

5. 建立 Client 的 Cert 及 Key:

# 會建立了 VPN-Client01.key, VPN-Client01.crt 及 VPN-Client01.csr

./build-key VPN-Client01

 


pkitool

 

Centos 6:

Path:

/usr/share/easy-rsa/2.0/pkitool

./pkitool --version

pkitool 2.0

準備:

./clean-all 亦會建立以下檔案:

touch /usr/share/easy-rsa/2.0/keys/index.txt

echo 01 > /usr/share/easy-rsa/2.0/keys/serial

建立完第一張 Server Cert 後:

index.txt:
V       231126065324Z           01      
       unknown /C=CN/ST=HK/L=Hong Kong/O=IT/OU=IT/CN=Server/name=Server/[email protected]

serial:
02

Usage:

pkitool [options...] [common-name]

建立 CA

pkitool --initca [--pass]

建立 Server Cert.

# pkitool: Need a readable ca.crt and ca.key in /usr/share/easy-rsa/2.0/keys

pkitool --server server1

建立 Client Cert.

pkitool [--pass] client1

其他選項:

--csr client4

--sign client4

--keysize      (default=1024)

P.S.

同樣都是要 source ./vars 才用得 !!

export KEY_COUNTRY="CN"
export KEY_PROVINCE="Hong Kong"
export KEY_CITY="Hong Kong"
export KEY_ORG="Home"
export KEY_EMAIL="[email protected]"
export KEY_CN=
export KEY_NAME=
export KEY_OU=IT

 


easy-rsa v3

 

Install

apt-get install easy-rsa                      # Debian10

獲得: /usr/share/easy-rsa/easyrsa

yum install easy-rsa                          # Centos 7(epel)

Copy 所需 file 去一 folder

MyER=/Path/To/Folder

mkdir $MyER & chmod 700 $MyER & cd $MyER

cp -a /usr/share/easy-rsa/* ./

  • easyrsa                            # POSIX shell script
  • openssl-easyrsa.cnf
  • x509-types/

1. On the CA Server

# start a new PKI and

./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/keys/pki

tree pki

pki
├── private
└── reqs

# build a CA keypair/cert:

./easyrsa build-ca

Enter New CA Key Passphrase:
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

2. On the VPN Server

./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass

i.e.

/etc/openvpn/easyrsa/pki/reqs/OVPN-Server.req

Then send the request files from each entity to the CA system.

3.  On the CA Server again (非必要)

# import-req: just copies the request file (UNIQUE_SHORT_FILE_NAME.req) into reqs/ under the pki folder

# It to prepare it for review and signing. we giving it an arbitrary "short name"

./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME

Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019

The request has been successfully imported with a short name of: server
You may now use this name to perform signing operations on this request.

# Review each request's details if you wish

./easyrsa show-req UNIQUE_SHORT_FILE_NAME (optional)

ie.

./easyrsa show-req datahunter.org

This file is stored at:
/etc/openvpn/keys/pki/reqs/datahunter.org.req

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject:
            commonName                = datahunter.org
        Attributes:
            a0:00

4. signing as a server

./easyrsa sign-req server UNIQUE_SHORT_FILE_NAME

ie.

./easyrsa sign-req server datahunter.org

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Enter pass phrase for /etc/openvpn/keys/pki/private/ca.key:

5. Signing as a client:

步驟與 server 差不多, 只是由 server 改成 client

./easyrsa gen-req UNIQUE_Client_SHORT_NAME nopass

./easyrsa sign-req client UNIQUE_SHORT_FILE_NAME

i.e.

./easyrsa gen-req client1 nopass

./easyrsa sign-req client client1

Generate 2048 bit DH

./easyrsa gen-dh 2048

Troubleshoot

Easy-RSA error:

Unknown cert type 'server'

The x509-types directory needed to be located in the same directory as the 'easyrsa' script.