This recipe will demonstrate how to create and sign a certificate request using plain openssl
commands. This is slightly different from using the easy-rsa
scripts, but very instructive.
Set up the easy-rsa
certificate environment using the first recipe from Chapter 2, Client-server IP-only Networks, by sourcing the vars
file. This recipe was performed on a computer running Fedora 22 Linux but it can easily be run on Windows or MacOS. Note that the easy-rsa
package can be downloaded independently of OpenVPN itself.
Before we can use plain openssl
commands to generate and sign a request, there are a few environment variables that need to be set. These variables are not set in the vars
file by default.
$ cd /etc/openvpn/cookbook $ . ./vars $ export KEY_CN= $ export KEY_OU= $ export KEY_NAME= $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl- 1.0.0.cnf
Note that the openssl-1.0.0.cnf
file is part of the easy-rsa distribution and should already be present in the directory /etc/openvpn/cookbook
.
-nodes
to the openssl req
command:$ openssl req -nodes -newkey rsa:2048 -new -out client.req -subj "/C=NL/O=Cookbook/CN=MyClient" Generating a 2048 bit RSA private key .......................................++++++ ............++++++ writing new private key to 'privkey.pem' -----
$ openssl ca -in client.req -out client.crt Using configuration from /etc/openvpn/cookbook/openssl.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key: [enter CA key password] Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' organizationName :PRINTABLE:'Cookbook' commonName :PRINTABLE:'MyClient' Certificate is to be certified until Apr 20 15:08:25 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
The first step is always to generate a private key. In this recipe, we generate a private key without a password, which is not really secure. A certificate request is signed using the private key to prove that the certificate request and the private key belong together. The openssl req
command generates both the private key and the certificate requests in one go.
The second step is to sign the certificate request using the private key of the Certificate Authority (CA). This results in an X.509 certificate file, which can be used in OpenVPN.
A copy of the (public) X.509 certificate is also stored in the /etc/openvpn/cookbook/keys
directory. This copy is important if the certificate needs to be revoked later on, so do not remove it from that directory.
It is also possible to generate a private key protected by a password ("pass phrase" in OpenSSL terms). In order to generate such a private key, simply remove the -nodes
command line parameter:
$ openssl req -newkey rsa:1024 -new -out client.req -subj "/C=NL/O=Cookbook/CN=MyClient"
The OpenSSL command will now ask for a passphrase:
Enter PEM pass phrase: Verifying - Enter PEM pass phrase:
easy-rsa
scripts is explained3.144.12.29