Extended Brain Storage

Certificate Authority: Setup Using Easy-RSA

Posted on April 29, 2018

It is highly advised that the Certificate Authority is always installed and placed on a different server than the publicly available service...

Certification Authority

Function of the Certificate Authority or Certification Authority (CA) can be provided by the Easy-RSA software (part of the OpenVPN project).

Installation of the Easy-RSA

Considering the Arch-based Artix Linux operating system, the easy-rsa package can be installed as follows (optionally, openvpn may be installed as well to provide list of supported algorithms):

$ pacman -S easy-rsa # optionally `openvpn`

The default configuration can be found using the easyrsa help command:

$ easyrsa help
...
DIRECTORY STATUS (commands would take effect on these locations)
  EASYRSA: /home/$USER
      PKI: /home/$USER/pki

The location of the default setup of configurable variables (i.e. the vars file) differs as per operating system. In Arch/Artix Linux, it can be found in:

$ less /etc/easy-rsa/vars # the location will differ as per OS used

Considering the OpenBSD operating system, the easy-rsa package can be installed as follows (optionally, openvpn):

$ pkg_add easy-rsa # optionally, `openvpn`

In OpenBSD, the directories of the Easy-RSA (version 3) need to be prepared as follows (e.g. into the /etc/openvpn/easy-rsa directory):

$ install -m 700 -d /etc/openvpn/easy-rsa
$ cp -r /usr/local/share/easy-rsa/x509-types /etc/openvpn/easy-rsa

In OpenBSD, it is also necessary to copy the easyrsa binary into the appropriate directory (or to make it "always available" using the $PATH variable):

$ cp /usr/local/share/easy-rsa/easyrsa /etc/openvpn/easy-rsa

Configuration of the CA

The Easy-RSA searches for the configuration file in /etc/easy-rsa/ (Artix Linux) or /usr/local/share/easy-rsa (OpenBSD) directories. However, this can be easily changed to any desired directory (hereinafter referred to as the /PATH/TO/Easy-RSA/ROOT/ directory). The default vars setup can be used as a reference to optimally configure the default CA setup. Anyway, the following works great:

$ cd /PATH/TO/Easy-RSA/ROOT/
$ vi ./vars
### the default system directory
set_var EASYRSA                "/etc/easy-rsa/" # or wherever the x509-types
### the soon-to-be-created key directory
set_var EASYRSA_PKI            "$PWD/ca.domain.tld" # default: pki
### X509 Distinguished Name (DN) mode (organisational or Common Name only)
set_var EASYRSA_DN             "cn_only"   # default: cn_only ("org" mode alt.)
### only valid for the "org" mode
#set_var EASYRSA_REQ_COUNTRY    "COUNTRY-CODE"
#set_var EASYRSA_REQ_PROVINCE   "PROVINCE"
#set_var EASYRSA_REQ_CITY       "CITY"
#set_var EASYRSA_REQ_ORG        "domain.tld"
#set_var EASYRSA_REQ_EMAIL      "admin@domain.tld"
#set_var EASYRSA_REQ_OU         "ORGANISATIONAL-UNIT"
### crypto mode
set_var EASYRSA_ALGO           rsa         # default: rsa
### Diffie-Hellman key size
set_var EASYRSA_KEY_SIZE       4096        # default: 2048
set_var EASYRSA_DIGEST         "sha512"    # default: "sha256"
### expiration values
set_var EASYRSA_CA_EXPIRE      3650        # default: 3650
set_var EASYRSA_CERT_EXPIRE    3650        # default: 1080
set_var EASYRSA_CRL_DAYS       3650        # default: 180

Choosing safe curves for elliptic-curve cryptography (ECC) is not a simple task and in 2020, the OpenVPN project still does not support the Ed25519. Hence, this example deals with RSA-based setup only. Anyway, the supported algorithms can be listed using the following command:

$ openvpn --show-curves --show-ciphers --show-tls --show-digests
...

Initialisation of the CA can be performed as follows (creates the private and the reqs subdirectories):

$ cd /PATH/TO/Easy-RSA/ROOT/
$ easyrsa --vars=./vars init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /PATH/TO/Easy-RSA/ROOT/ca.domain.tld

Building the CA

Building the CA is straightforward. Although it can be combined with the nopass parameter in order to omit the key-file password requirement, it is strongly recommended not to do so and use a strong password/passphrase instead:

$ cd /PATH/TO/Easy-RSA/ROOT/
$ touch ./ca.domain.tld/.rnd # https://github.com/OpenVPN/easy-rsa/issues/261
$ easyrsa --vars=./vars build-ca # PASSWORD/PASSPHRASE TO BE ENTERED
...
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:MY-NAME CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/PATH/TO/Easy-RSA/ROOT/ca.domain.tld/ca.crt

Optionally, the certificates can be verified as follows:

$ cd /PATH/TO/Easy-RSA/ROOT/
$ openssl x509 -in ./ca.domain.tld/ca.crt -text -noout
...
$ openssl rsa -in ./ca.domain.tld/private/ca.key -check -noout
Enter pass phrase for ./ca.domain.tld/private/ca.key:
RSA key ok

In order to negotiate authentication, the Diffie-Hellman RFC 2631 group parameters file (which contains the large prime p and a generator g) needs to be created (for 4096bit keys, it will take "some" time):

$ cd /PATH/TO/Easy-RSA/ROOT/
$ easyrsa --vars=./vars gen-dh
...

As the generated content is usually a base64-encoded Abstract Syntax Notation One (ASN.1) with Distinguished Encoding Rules (DER) structure (as per ITU-T X.680 and ITU-T X.690 respectively), it can be parsed as follows:

$ openssl asn1parse -in ./ca.domain.tld/dh.pem
    0:d=0  hl=4 l= 520 cons: SEQUENCE
    4:d=1  hl=4 l= 513 prim: INTEGER           :PRIME-NUMBER-IN-HEX
  521:d=1  hl=2 l=   1 prim: INTEGER           :02

The generated prime number (PRIME-NUMBER-IN-HEX) can be verified using the following command:

$ openssl prime -hex PRIME-NUMBER-IN-HEX
...) is prime

Now, the CA is completely initialised, built and ready to sign Certificate Signing Requests (CSRs).

Tags: #Artix Linux #OpenBSD #OpenVPN #Easy-RSA #security #certification #certificate #authority #CA

⏴ Previous Post Next Post ⏵