User Tools
wiki:webui:administration:openvpn:pki
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
wiki:webui:administration:openvpn:pki [2021/09/22 13:05] tda |
wiki:webui:administration:openvpn:pki [2021/09/22 15:57] (current) tda |
||
|---|---|---|---|
| Line 50: | Line 50: | ||
| | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem | | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem | ||
| </code> | </code> | ||
| + | |||
| + | ==== P12 Packaging (PKCS#12) ==== | ||
| + | |||
| + | It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file. | ||
| + | |||
| + | The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: | ||
| + | |||
| + | <code bash> | ||
| + | # openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12 | ||
| + | </code> | ||
| + | <code bash> | ||
| + | Enter Export Password: | ||
| + | Verifying - Enter Export Password: | ||
| + | </code> | ||
| + | |||
| + | The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive. | ||
| \\ | \\ | ||
| Line 55: | Line 71: | ||
| ===== OpenVPN ===== | ===== OpenVPN ===== | ||
| - | OpenSSL or EasyRSA can be used to create the PKI and generate the OpenVPN keys and certificates. | + | OpenSSL or EasyRSA can be used to create the PKI and generate the OpenVPN keys and certificates. \\ |
| + | Note that it is more convenient and simplier to use EasyRSA then OpenSSL. | ||
| + | |||
| ==== OpenSSL ==== | ==== OpenSSL ==== | ||
| Line 338: | Line 355: | ||
| Organization Name []:Kerlink | Organization Name []:Kerlink | ||
| Organizational Unit Name []:DSC | Organizational Unit Name []:DSC | ||
| - | Common Name []:server | + | Common Name []:client |
| Email Address []:tda@kerlink.fr | Email Address []:tda@kerlink.fr | ||
| </code> | </code> | ||
| Line 347: | Line 364: | ||
| # cd /root/ca/certs | # cd /root/ca/certs | ||
| # openssl ca -config ../openssl.cnf \ | # openssl ca -config ../openssl.cnf \ | ||
| - | -extensions server_cert -days 375 -notext -md sha256 \ | + | -extensions usr_cert -days 375 -notext -md sha256 \ |
| -in client.csr \ | -in client.csr \ | ||
| -out client.crt | -out client.crt | ||
| Line 356: | Line 373: | ||
| <code bash> | <code bash> | ||
| - | # cd /root/CA/certs/ | + | # cd /root/ca/certs/ |
| # openssl verify -CAfile ca.crt client.crt | # openssl verify -CAfile ca.crt client.crt | ||
| </code> | </code> | ||
| - | === Generate the Diffie-Hellman (DH) parameters | + | === Generate the Diffie-Hellman (DH) parameters === |
| <code bash> | <code bash> | ||
| + | # cd /root/ca | ||
| # openssl dhparam -out dh2048.pem 2048 | # openssl dhparam -out dh2048.pem 2048 | ||
| </code> | </code> | ||
| Line 499: | Line 517: | ||
| \\ | \\ | ||
| \\ | \\ | ||
| - | ===== P12 Packaging (PKCS#12) ===== | + | ==== P12 Packaging (PKCS#12) ==== |
| - | It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file. | + | It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key. \\ |
| + | This will be referenced in the ''pkcs12 <file>'' directive in the server and client's configuration file. | ||
| The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: | The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys: | ||
| + | For the server: | ||
| <code bash> | <code bash> | ||
| - | # openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12 | + | # openssl pkcs12 -export -inkey private/server.key -in certs/server.crt -certfile certs/ca.crt -out server.p12 |
| </code> | </code> | ||
| <code bash> | <code bash> | ||
| Line 512: | Line 532: | ||
| Verifying - Enter Export Password: | Verifying - Enter Export Password: | ||
| </code> | </code> | ||
| + | The password will have to be entered in the server configuration file (''server-openvpn.conf'') using the ''askpass'' directive. | ||
| - | The password will have to be entered in the client configuration file (''client-openvpn.conf'') | + | For the client: |
| + | <code bash> | ||
| + | # openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12 | ||
| + | </code> | ||
| + | <code bash> | ||
| + | Enter Export Password: | ||
| + | Verifying - Enter Export Password: | ||
| + | </code> | ||
| + | |||
| + | The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive. | ||
| + | \\ | ||
| \\ | \\ | ||
| + | Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/. | ||
| \\ | \\ | ||
wiki/webui/administration/openvpn/pki.1632308727.txt.gz · Last modified: 2021/09/22 13:05 by tda
Page Tools
