Setting up the public and private keys

Before we can set up a client/server VPN, we need to set up the public key infrastructure (PKI). The PKI comprises the certificate authority, the private keys, and the certificates (public keys) for both the client and server. We also need to generate a Diffie-Hellman parameter file, which is required for perfect forward secrecy.

To set up PKI, we make use of the easy-rsa scripts. These scripts were originally supplied with the OpenVPN distribution itself, but nowadays, they can also be downloaded and installed separately.

Getting ready

The PKI needs to be set up on a trusted computer. This can be the same as the computer on which the OpenVPN server is run, but from a security point of view, it is best if the PKI is kept completely separate from the rest of the OpenVPN services. One option is to keep the PKI certificate authority (CA) key located on a separate external disk, which is attached only when required. Another option would be to keep the CA private key on a separate computer that is not hooked up to any network at all.

This recipe was done on Linux, but can also be done on a Mac OS machine. On Windows, the commands are very similar as well. The Linux easy-rsa scripts are meant to be run from a bash-like shell, so make sure you are not running csh/tcsh (UNIX shells).

How to do it...

  1. Create the directories for the PKI and copy over the easy-rsa distribution from your OpenVPN installation:
          $ mkdir -m 700 -p /etc/openvpn/cookbook/keys
          $ cd /etc/openvpn/cookbook
          $ cp -drp /usr/share/easy-rsa/2.0/* .
    

    Note

    Note that there is no need to run these commands as the root user, provided that the user is allowed to create the above directory path.

  2. Next, we set up the vars file. Create a file containing the following:
            export EASY_RSA=/etc/openvpn/cookbook 
            export OPENSSL="openssl" 
            export PKCS11TOOL="pkcs11-tool" 
            export GREP="grep" 
            export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` 
            export KEY_DIR="$EASY_RSA/keys" 
            export PKCS11_MODULE_PATH="dummy" 
            export PKCS11_PIN="dummy" 
            export KEY_SIZE=2048 
            export CA_EXPIRE=3650 
            export KEY_EXPIRE=1000 
            export KEY_COUNTRY="US" 
            export KEY_PROVINCE= 
            export KEY_CITY= 
            export KEY_ORG="Cookbook 2.4" 
            export KEY_OU= 
            export KEY_CN= 
            export KEY_EMAIL="[email protected]" 
    

    Note

    Note that the PKCS11_MODULE_PATH and PKCS11_PIN entries are needed even if you are not using smart cards.

    Also note that some KEY_ variables are set to an empty value. This is required for generating certificates in a batch, as we shall see later on.

    The default KEY_SIZE of 2048 bits is sufficiently secure for the next few years. A larger key size (4096 bits) is possible, but the tradeoff is a performance penalty. We shall generate a 4096 bit CA private key, as performance is not an issue here.

    Adjust the settings (KEY_ORG, KEY_OU, KEY_EMAIL) to reflect your organization. The meaning of these settings is explained in more details later.

  3. Source the vars file and generate the CA private key and certificate, using a 4096-bit modulus. Choose a strong password for the CA certificate. After that, simply press the Enter key every time the script asks for input:
          $ cd /etc/openvpn/cookbook
          $ . ./vars
          $ ./clean-all
          $ KEY_SIZE=4096 ./build-ca --pass
    

    Sample output is shown in the following screenshot:

    How to do it...
  4. Next, we build the server certificate. As we do not wish to include an e-mail address in every certificate, we now set the KEY_EMAIL variable to an empty value. When the script asks for input, press the Enter key. When the script asks for the CA private key (ca.key) password, enter the password for the CA certificate. Finally, when the script asks for a [y/n] answer, type y:
            $ export KEY_EMAIL=
            $ ./build-key-server openvpnserver
            Generating a 2048 bit RSA private key
                                          
            ............................................................
            ............................+++
    ...........................................+++
            writing new private key to 'openvpnserver.key'
            -----
            You are about to be asked to enter information that will be 
            incorporated
            into your certificate request.
            What you are about to enter is what is called a Distinguished 
            Name or a DN.
            There are quite a few fields but you can leave some blank
            For some fields there will be a default value,
            If you enter '.', the field will be left blank.
            -----
            Country Name (2 letter code) [US]:
            State or Province Name (full name) []:
            Locality Name (eg, city) []:
            Organization Name (eg, company) [Cookbook 2.4]:
            Organizational Unit Name (eg, section) []:
            Common Name (eg, your name or your server's hostname)         
            [openvpnserver]:
                Name []:
                Email Address []:
            Please enter the following 'extra' attributes
            to be sent with your certificate request
            A challenge password []:
            An optional company name []:
            Using configuration from /etc/openvpn/cookbook/openssl-
            1.0.0.cnf
            Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:
            Check that the request matches the signature
            Signature ok
            The Subject's Distinguished Name is as follows
            countryName           :PRINTABLE:'US'
            organizationName      :PRINTABLE:'Cookbook 2.4'
            commonName            :PRINTABLE:'openvpnserver'
            Certificate is to be certified until Oct 13 17:49:24 2018 GMT 
            (1000 days)
            Sign the certificate? [y/n]:y
            1 out of 1 certificate requests certified, commit? [y/n]y
            Write out database with 1 new entries
            Data Base Updated
    
  5. The first client certificate is generated in a batch. It is a very fast method for generating a client certificate, but it is not possible to set a password on the client's private key file. It is still required to enter the ca.key password:
          $ ./build-key --batch client1
    

    Sample output is shown in the following screenshot:

    How to do it...
  6. The second client certificate is generated with a password. Choose a strong password (but different from the CA certificate password!). The output is abbreviated for clarity:
            $ ./build-key-pass --batch client2
            Generating a 2048 bit RSA private key
            ............+++
            ...............+++
            writing new private key to 'client2.key'
            Enter PEM pass phrase:
            Verifying - Enter PEM pass phrase:
            -----
            Using configuration from /etc/openvpn/cookbook/openssl-
            1.0.0.cnf
            Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:
            Check that the request matches the signature
            Signature ok
            The Subject's Distinguished Name is as follows
            countryName           :PRINTABLE:'US'
            organizationName      :PRINTABLE:'Cookbook 2.4'
            commonName            :PRINTABLE:'client2'
            Certificate is to be certified until Oct 13 17:59:15 2018 GMT 
            (1000 days)
            Write out database with 1 new entries
            Data Base Updated
    
  7. Next, build the Diffie-Hellman parameter file for the server:
    How to do it...
  8. And finally, generate the tls-auth key file:
           $ openvpn --genkey --secret ta.key
    

How it works...

The easy-rsa scripts are a handy set of wrapper scripts around some of the openssl ca commands. The openssl ca commands are commonly used to set up a PKI using X509 certificates. The build-dh script is a wrapper for the openssl dh command.

There's more...

The easy-rsa scripts provide a full PKI setup, supporting different platforms and many settings. Some of these are outlined here.

Using the easy-rsa scripts on Windows

To use the easy-rsa scripts on Windows, a command window (cmd.exe) is required and the starting ./ needs to be removed from all the commands, for example:

[Win]C:> vars
[Win]C:> clean-all
[Win]C:> build-ca

Some notes on the different variables

The following variables are set in the vars file:

  • KEY_SIZE=2048: This is the cipher strength for all private keys. The longer the key size is, the stronger the encryption. Unfortunately, it also makes the encryption process slower.
  • CA_EXPIRE=3650: This gives the number of days the CA certificate is considered valid, thus translating to a period of 10 years. For a medium-secure setup, this is fine; however, if stronger security is required, this number needs to be lowered.
  • KEY_EXPIRE=1000: This gives the number of days for which the client of the server certificate is considered valid, thus translating to a period of almost 3 years.
  • KEY_COUNTRY="US"KEY_PROVINCE=KEY_CITY=KEY_ORG="Cookbook 2.4"[email protected]: These variables are all used to form the certificate Distinguished Name (DN). None of them are required, but both OpenVPN and OpenSSL suggest using at least KEY_COUNTRY to indicate where a certificate was issued.

See also

  • See Chapter 4PKI, Certificates, and OpenSSL, for a lengthier introduction to the easy-rsa scripts and the openssl commands
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.117.57