Certificate generation

This recipe will demonstrate how to create and sign a certificate request using plain openssl commands. This is slightly different from using the easy-rsa scripts, but very instructive.

Getting ready

Set up the easy-rsa certificate environment using the first recipe from Chapter 2Client-server IP-only Networks, by sourcing the vars file. This recipe was performed on a computer running Fedora 22 Linux but it can easily be run on Windows or MacOS. Note that the easy-rsa package can be downloaded independently of OpenVPN itself.

How to do it...

Before we can use plain openssl commands to generate and sign a request, there are a few environment variables that need to be set. These variables are not set in the vars file by default.

  1. Add the missing environment variables:
           $ cd /etc/openvpn/cookbook
           $ . ./vars
           $ export KEY_CN=
           $ export KEY_OU=
           $ export KEY_NAME=
           $ export OPENSSL_CONF=/etc/openvpn/cookbook/openssl-
               1.0.0.cnf
    

    Note that the openssl-1.0.0.cnf file is part of the easy-rsa distribution and should already be present in the directory /etc/openvpn/cookbook.

  2. Next, we generate the certificate request without a password. This is achieved by adding the option -nodes to the openssl req command:
           $ openssl req -nodes -newkey rsa:2048 -new -out client.req 
             -subj "/C=NL/O=Cookbook/CN=MyClient"
       Generating a 2048 bit RSA private key
       .......................................++++++
       ............++++++
       writing new private key to 'privkey.pem'
       -----
    
  3. Finally, we sign the certificate request using the Certificate Authority private key:
           $ openssl ca -in client.req -out client.crt
        Using configuration from /etc/openvpn/cookbook/openssl.cnf
        Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:
        [enter CA key password]
        Check that the request matches the signature
        Signature ok
        The Subject's Distinguished Name is as follows
        countryName           :PRINTABLE:'NL'
        organizationName      :PRINTABLE:'Cookbook'
        commonName            :PRINTABLE:'MyClient'
        Certificate is to be certified until Apr 20 15:08:25 2026 GMT 
            (3650 days)
        Sign the certificate? [y/n]:y
        1 out of 1 certificate requests certified, commit? [y/n]y
        Write out database with 1 new entries
        Data Base Updated
    

How it works...

The first step is always to generate a private key. In this recipe, we generate a private key without a password, which is not really secure. A certificate request is signed using the private key to prove that the certificate request and the private key belong together. The openssl req command generates both the private key and the certificate requests in one go.

The second step is to sign the certificate request using the private key of the Certificate Authority (CA). This results in an X.509 certificate file, which can be used in OpenVPN.

A copy of the (public) X.509 certificate is also stored in the /etc/openvpn/cookbook/keys directory. This copy is important if the certificate needs to be revoked later on, so do not remove it from that directory.

There's more...

It is also possible to generate a private key protected by a password ("pass phrase" in OpenSSL terms). In order to generate such a private key, simply remove the -nodes command line parameter:

$ openssl req -newkey rsa:1024 -new -out client.req 
    -subj "/C=NL/O=Cookbook/CN=MyClient"

The OpenSSL command will now ask for a passphrase:

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

See also

  • The Setting up the public and private keys recipe from Chapter 2Client-server IP-only Networks, where the initial setup of the PKI using the easy-rsa scripts is explained
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.12.29