From ConShell
Jump to navigation Jump to search

Typically a component of OpenVPN, this is a command-line management suite for working with X.509 certificates.

WARNING! This page is a work in progress by --fostermarkd 12:15, 27 August 2008 (PDT)

I intend to complete some remaining details. This effort is tied to https://blueprints.edge.launchpad.net/ubuntu/+spec/improve-ssl-cert

Getting started

These are the steps to get the easy-rsa components onto an Ubuntu system.

aptitude install openvpn

Note: this gets the easy-rsa components

sudo mkdir /etc/pkitool
sudo chown mdf /etc/pkitool

Note: what user would normally own this folder?

export PATH="$PATH:/usr/share/doc/openvpn/examples/easy-rsa/2.0"
cd  /usr/share/doc/openvpn/examples/easy-rsa/2.0/
cp whichopensslcnf vars openssl.cnf /etc/pkitool/

Now edit the files vars and openssl.cnf in /etc/pkitool Note, this is where you set some reasonable defaults for subsequent CA operations. See Appendix B for an example patchfile showing changes I made.

Now we can leverage the pkitool script to handle many tasks.

Appendix A. pkitool usage

Usage: pkitool [options...] [common-name]
  --batch    : batch mode (default)
  --keysize  : Set keysize
      size   : size (default=1024)
  --interact : interactive mode
  --server   : build server cert
  --initca   : build root CA
  --inter    : build intermediate CA
  --pass     : encrypt private key with password
  --csr      : only generate a CSR, do not sign
  --sign     : sign an existing CSR
  --pkcs12   : generate a combined PKCS#12 file
  --pkcs11   : generate certificate on PKCS#11 token
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
      id     : PKCS#11 object id (hex string)
      label  : PKCS#11 object label
Standalone options:
  --pkcs11-slots   : list PKCS#11 slots
      lib    : PKCS#11 library
  --pkcs11-objects : list PKCS#11 token objects
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
      label  : PKCS#11 token label
  Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.
  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
Generated files and corresponding OpenVPN directives:
(Files will be placed in the $KEY_DIR directory, defined in ./vars)
  ca.crt     -> root certificate (--ca)
  ca.key     -> root key, keep secure (not directly used by OpenVPN)
  .crt files -> client/server certificates (--cert)
  .key files -> private keys, keep secure (--key)
  .csr files -> certificate signing request (not directly used by OpenVPN)
  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
  pkitool --initca          -> Build root certificate
  pkitool --initca --pass   -> Build root certificate with password-protected key
  pkitool --server server1  -> Build "server1" certificate/key
  pkitool client1           -> Build "client1" certificate/key
  pkitool --pass client2    -> Build password-protected "client2" certificate/key
  pkitool --pkcs12 client3  -> Build "client3" certificate/key in PKCS#12 format
  pkitool --csr client4     -> Build "client4" CSR to be signed by another CA
  pkitool --sign client4    -> Sign "client4" CSR
  pkitool --inter interca   -> Build an intermediate key-signing certificate/key
                               Also see ./inherit-inter script.
  pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
                              -> Build "client5" certificate/key in PKCS#11 token
Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys.
Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :
  [edit vars with your site-specific info]
  source ./vars
  ./build-dh     -> takes a long time, consider backgrounding
  ./pkitool --initca
  ./pkitool --server myserver
  ./pkitool client1
  ./pkitool --pass client2
Typical usage for adding client cert to existing PKI:
  source ./vars
  ./pkitool client-new

Appendix B. configuration changes to var

Intended as a starting point. Specifically, the KEY_* variables really need extra scrutiny.

--- /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars	2008-01-23 13:08:38.000000000 -0800
+++ vars	2008-08-27 12:24:27.491025700 -0700
@@ -12,7 +12,7 @@
 # This variable should point to
 # the top level of the easy-rsa
 # tree.
-export EASY_RSA="`pwd`"
+export EASY_RSA="/etc/pkitool"
 # This variable should point to
@@ -52,7 +52,7 @@
 export CA_EXPIRE=3650
 # In how many days should certificates expire?
-export KEY_EXPIRE=3650
+export KEY_EXPIRE=730
 # These are the default values for fields
 # which will be placed in the certificate.
@@ -60,5 +60,5 @@
 export KEY_COUNTRY="US"
 export KEY_CITY="SanFrancisco"
-export KEY_ORG="Fort-Funston"
-export KEY_EMAIL="me@myhost.mydomain"
+export KEY_ORG="Snake-Oil, LLC"
+export KEY_EMAIL="me@example.com"