Differences

This shows you the differences between two versions of the page.

--- wiki:webui:administration:openvpn:pki [2020/03/13 15:41]
ghi created
+++ wiki:webui:administration:openvpn:pki [2021/09/22 15:57] (current)
tda
@@ Line 51: / Line 51: @@
 </code>
-==== P12 Packaging ====
+==== P12 Packaging (PKCS#12) ====
+It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.
 The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
 <code bash>
-openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.pem -name "ifemto 0x2eXXXXXX" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
+# openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
+</code>
+<code bash>
 Enter Export Password:
 Verifying - Enter Export Password:
 </code>
-The password will have to be entered in the client configuration file (''client.conf'')
+The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive.
+\\
+\\
 ===== OpenVPN =====
-[[https://github.com/OpenVPN/easy-rsa|EasyRSA]] can be used to quickly generate secrets for the VPN server.
+OpenSSL or EasyRSA can be used to create the PKI and generate the OpenVPN keys and certificates. \\
+Note that it is more convenient and simplier to use EasyRSA then OpenSSL.
+==== OpenSSL ====
-It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.
-A DH file has to be generated with:
+=== Installation in your Ubuntu environment ===
+OpenSSL is already included in your Ubuntu distribution.
+You can check the version used by issuing the command:
 <code bash>
-openssl dhparam -out dh2048.pem 2048
+# openssl version
 </code>
+Openvpn must be installed:
+<code bash>
+# sudo apt install openvpn
+</code>
+=== Root certification authority ====
+== Prepare the CA directory ==
+Choose a directory (/root/ca) to store all keys and certificates.
+<code bash>
+# mkdir /root/ca
+# cd /root/ca
+# mkdir certs crl newcerts private
+# chmod 700 private
+# touch index.txt
+# echo 1000 > serial
+</code>
+== Prepare the configuration file ==
+You must create a configuration file for OpenSSL:
+vi ''/root/ca/openssl.cnf''
+<code bash>
+[ ca ]
+# `man ca`
+default_ca = CA_default
+[ CA_default ]
+# Directory and file locations.
+dir               = /root/ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+# The root key and root certificate.
+private_key       = $dir/private/ca.key
+certificate       = $dir/certs/ca.crt
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_strict
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name (eg, city)
+.organizationName              = Organization Name (eg, company)
+organizationalUnitName          = Organizational Unit Name (eg, section)
+commonName                      = Common Name (eg: your user, host, or server name)
+emailAddress                    = Email Address
+# Optionally, specify some defaults.
+countryName_default             = FR
+stateOrProvinceName_default     = Bretagne
+localityName_default            = Thorigne-Fouillard
+.organizationName_default      = Kerlink
+organizationalUnitName_default  = DSC
+emailAddress_default            = tda@kerlink.fr
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+</code>
+== Create the Root key ==
+<code bash>
+# cd /root/ca
+# openssl genrsa -aes256 -out private/ca.key 4096
+</code>
+<code bash>
+Enter pass phrase for ca.key: secretpassword
+Verifying - Enter pass phrase for ca.key: secretpassword
+# chmod 400 private/ca.key
+</code>
+== Create the root certificate==
+<code bash>
+# cd /root/ca
+# openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.crt
+</code>
+<code bash>
+Enter pass phrase for ca.key: secretpassword
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+-----
+Country Name (2 letter code) [XX]:FR
+State or Province Name []: Bretagne
+Locality Name []: Thorigne-Fouillard
+Organization Name []: Kerlink
+Organizational Unit Name []: DSC
+Common Name []: Kerlink CA
+Email Address []: tda@kerlink.fr
+# chmod 444 certs/ca.crt
+</code>
+== Check the root certificate==
+<code bash>
+# openssl x509 -noout -text -in certs/ca.crt
+# openssl verify -CAfile certs/ca.crt certs/ca.crt
+</code>
+=== VPN server Key & Certificate ===
+== Create the server Key ==
+<code bash>
+# cd /root/ca/private
+# openssl genrsa -aes256 -out server.key 2048
+# chmod 400 server.key
+</code>
+== Create the server Certificate ==
+<code bash>
+# cd /root/ca/csr
+# openssl req -config ../openssl.cnf -key ../private/server.key -new -sha256 -out server.csr
+</code>
+<code bash>
+Enter pass phrase for server.key: secretpassword
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+-----
+Country Name (2 letter code) [XX]:FR
+State or Province Name []:Bretagne
+Locality Name []:Thorigne-Fouillard
+Organization Name []:Kerlink
+Organizational Unit Name []:DSC
+Common Name []:server
+Email Address []:tda@kerlink.fr
+</code>
+=== Generate the server Certificate ===
+<code bash>
+# cd /root/ca/certs
+# openssl ca -config ../openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in server.csr -out server.crt
+# chmod 444 server.crt
+</code>
+=== Check the server Certificate ===
+<code bash>
+# cd /root/CA/certs/
+# openssl verify -CAfile ca.crt server.crt
+</code>
+=== Client Key & Certificate ===
+== Create the Client Key ==
+<code bash>
+# cd /root/ca/private
+# openssl genrsa -aes256 -out client.key 2048
+# chmod 400 client.key
+</code>
+== Create the Client Certificate ==
+<code bash>
+# cd /root/ca/cert
+# openssl req -config ../openssl.cnf -key ../private/client.key -new -sha256 -out client.csr
+</code>
+<code bash>
+Enter pass phrase for client.key: secretpassword
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+-----
+Country Name (2 letter code) [XX]:FR
+State or Province Name []:Bretagne
+Locality Name []:Thorigne-Fouillard
+Organization Name []:Kerlink
+Organizational Unit Name []:DSC
+Common Name []:client
+Email Address []:tda@kerlink.fr
+</code>
+=== Generate the client Certificate ===
+<code bash>
+# cd /root/ca/certs
+# openssl ca -config ../openssl.cnf \
+      -extensions usr_cert -days 375 -notext -md sha256 \
+      -in client.csr \
+      -out client.crt
+# chmod 444 client.crt
+</code>
+=== Check the client Certificate ===
+<code bash>
+# cd /root/ca/certs/
+# openssl verify -CAfile ca.crt client.crt
+</code>
+=== Generate the Diffie-Hellman (DH) parameters ===
+<code bash>
+# cd /root/ca
+# openssl dhparam -out dh2048.pem 2048
+</code>
+\\
+\\
+==== EasyRSA ====
+=== Installation in your Ubuntu environment ===
+<code bash>
+# sudo apt install openvpn easy-rsa
+</code>
+<code bash>
+# cp -a /usr/share/easy-rsa /root/easy-rsa
+</code>
+=== Root certification authority ====
+== Prepare the configuration file ==
+<code bash>
+# mv vars.example vars
+</code>
+Edit the file and modify the following parameters :
+<code bash>
+# Choices are:
+#   cn_only  - use just a CN value
+#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
+set_var EASYRSA_DN      "org"
+# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
+# These are the default values for fields which will be placed in the
+# certificate.  Don't leave any of these fields blank, although interactively
+# you may omit any specific field by typing the "." symbol (not valid for
+# email.)
+set_var EASYRSA_REQ_COUNTRY     "FR"
+set_var EASYRSA_REQ_PROVINCE    "Bretagne"
+set_var EASYRSA_REQ_CITY        "Thorigne-Fouillard"
+set_var EASYRSA_REQ_ORG         "Kerlink"
+set_var EASYRSA_REQ_EMAIL       "tda@kerlink.fr"
+set_var EASYSA_REQ_OU           "DSC"
+</code>
+<code bash>
+# ./easyrsa init-pki
+</code>
+== Create the CA certificate ==
+<code bash>
+# ./easyrsa build-ca
+</code>
+<code bash>
+Generating a 2048 bit RSA private key
+.............................+++
+................+++
+writing new private key to 'ca.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Bretagne]:
+Locality Name (eg, city) [Thorigne-Fouillard]:
+Organization Name (eg, company) [kerlink]:
+Organizational Unit Name (eg, section) [DSC]:
+Common Name (eg, your name or your server's hostname) []: CA
+Name []: Kerlink CA
+Email Address [tda@kerlink.fr]:
+</code>
+Use default values and just define the CN and name.
+=== VPN server Key & Certificate  ===
+<code bash>
+# ./easyrsa gen-req server nopass
+</code>
+<code bash>
+Generating a 2048 bit RSA private key
+.........+++
+............................................+++
+writing new private key to 'server.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Bretagne]:
+Locality Name (eg, city) [Thorigne-Fouillard]:
+Organization Name (eg, company) [kerlink]:
+Organizational Unit Name (eg, section) [DSC]:
+Common Name (eg, your name or your server's hostname) []:server
+Name []: server
+Email Address [tda@kerlink.fr]:
+Keypair and certificate request completed. Your files are:
+req: /root/easy-rsa/pki/reqs/server.req
+key: /root/easy-rsa/pki/private/server.key
+</code>
+=== Sign the server Certificate Signature Request (CSR) ===
+<code bash>
+# ./easyrsa sign-req server server
+</code>
+=== Client Key & Certificate Request ===
+The option build-client-full <client name> nopass generates a client certificate and key.
+<code bash>
+# ./easyrsa build-client-full client1 nopass
+</code>
+=== Generate Diffie-Hellman (DH) parameters ===
+<code bash>
+# ./easyrsa gen-dh
+</code>
+\\
+\\
+==== P12 Packaging (PKCS#12) ====
+It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key. \\
+This will be referenced in the ''pkcs12 <file>'' directive in the server and client's configuration file.
+The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
+For the server:
+<code bash>
+# openssl pkcs12 -export -inkey private/server.key -in certs/server.crt  -certfile certs/ca.crt -out server.p12
+</code>
+<code bash>
+Enter Export Password:
+Verifying - Enter Export Password:
+</code>
+The password will have to be entered in the server configuration file (''server-openvpn.conf'') using the ''askpass'' directive.
+For the client:
+<code bash>
+# openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12
+</code>
+<code bash>
+Enter Export Password:
+Verifying - Enter Export Password:
+</code>
+The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive.
+\\
+\\
+Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/.
+\\
+===== Useful links =====
+[[https://jamielinux.com/docs/openssl-certificate-authority/introduction.html]] explains how to create a PKI with OpenSSL. \\
+[[https://github.com/OpenVPN/easy-rsa|EasyRSA]] EasyRSA GITHub. \\
+[[https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/]] explains how to use EasyRSA to create a PKI (applicable to Ubuntu 14.04).\\
+[[https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04-fr]] explains how to use EasyRSA to create a PKI (applicable to Ubuntu 20.04)(french).\\
+[[https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts]] explains how to create a PKI using Easy-RSA (applicable to Ubuntu 20.04)(english).\\
+[[https://stackoverflow.com/questions/21141215/creating-a-p12-file]] explains how to create a PKCS#12 (P12) archive.

Wanesy™ SPN (End Of Life)

User Tools

Site Tools

Differences

Page Tools