This recipe shows how to set up an intermediary CA and how to configure OpenVPN to make use of an intermediary CA. The OpenVPN easy-rsa
scripts also include functionality to set up an intermediary CA. The advantage of an intermediary CA (or sub CA) is that the top-level CA (also known as the root CA) can be guarded more closely. The intermediary CAs can be distributed to the people responsible for generating the server and client certificates.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux but it can easily be run on Windows or Mac OS.
$ cd /etc/openvpn/cookbook/ $ . ./vars $ ./build-inter IntermediateCA
$ openssl x509 -text -noout -in keys/IntermediateCA.crt | grep -C 1 CA X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption
keys
directory for our intermediary CA (the current directory is still /etc/openvpn/cookbook
):$ mkdir -m 700 -p IntermediateCA/keys $ cp [a-z]* IntermediateCA $ cd IntermediateCA
vars
file in the new directory and change the EASY_RSA
line to:export EASY_RSA=/etc/openvpn/cookbook/IntermediateCA
vars
file and set up the keys
directory:$ . ./vars $ ./clean-all $ cp ../keys/IntermediateCA.crt keys/ca.crt $ cp ../keys/IntermediateCA.key keys/ca.key
$ ./build-key IntermediateClient
$ openssl x509 -subject -issuer -noout -in keys/IntermediateClient.crt subject= /C=US/O=Cookbook 2.4/CN=IntermediateClient issuer= /C=US/O=Cookbook 2.4/CN=subCA/emailAddress=...
$ cd /etc/openvpn/cookbook $ cat keys/ca.crt IntermediateCA/keys/ca.crt > ca+subca.pem $ cp IntermediateCA/keys/IntermediateClient.{crt,key} . $ openssl verify -CAfile ca+subca.pem IntermediateClient.crt IntermediateClient.crt: OK
The intermediary CA certificate has the "right" to act as a certificate authority, meaning that it can sign new certificates itself. The intermediary CA needs a directory structure for this, which is very similar to the root CA directory structure. First, we set up this directory structure and then we copy over all the necessary files. After that we create a client certificate and verify that it is a valid certificate. In order to perform this validation, the entire certificate chain from the root-level CA to the intermediary CA to the client certificate need to be present. This is why the root CA public certificate and the intermediary CA public certificate are stacked into a single file. This single file is then used to perform the entire certificate chain validation.
Certificates that have been issued by an intermediary CA also need to be revoked by the same CA. This means that with multiple CAs you will also have to use multiple CRLs. Fortunately, CRLs can be stacked just like CA certificates: concatenate the files together using the cat
command, as will be explained in the next recipe.
13.59.27.141