====== VPN - PKI management ======
The following are command examples that may be used to create secrets for the VPN connection.
It is assumed that these commands are typed on the VPN server side (not on the gateway)
===== IPsec / strongswan =====
==== Root certification authority =====
First, create a root certification authority. It will be used to sign the VPN server and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).
# Work in /etc/ipsec.d
cd /etc/ipsec.d
# Create a 4096 bit private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
chmod 600 private/rootca.pem
# Create a 10 year certificate
ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem
==== VPN server certificate ====
Then, create a certificate and private key that will be used by the VPN server:
# Create a 2048 bit VPN private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
chmod 600 private/vpnkey.pem
# Create a 2 year VPN certificate
ipsec pki --pub --in private/vpnkey.pem --type rsa \
| ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem
==== Client certificates ====
Still on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.
# Create a 2048 bit client private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/ifemto_XXXXXX.pem
chmod 600 private/ifemto_XXXXXX.pem
# Create a 2 year client certificate
ipsec pki --pub --in private/ifemto_XXXXXX.pem --type rsa \
| ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem
==== P12 Packaging (PKCS#12) ====
It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 '' directive of the server configuration file.
The Wirnetâ„¢ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
# openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
Enter Export Password:
Verifying - Enter Export Password:
The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive.
\\
\\
===== OpenVPN =====
OpenSSL or EasyRSA can be used to create the PKI and generate the OpenVPN keys and certificates. \\
Note that it is more convenient and simplier to use EasyRSA then OpenSSL.
==== OpenSSL ====
=== Installation in your Ubuntu environment ===
OpenSSL is already included in your Ubuntu distribution.
You can check the version used by issuing the command:
# openssl version
Openvpn must be installed:
# sudo apt install openvpn
=== Root certification authority ====
== Prepare the CA directory ==
Choose a directory (/root/ca) to store all keys and certificates.
# mkdir /root/ca
# cd /root/ca
# mkdir certs crl newcerts private
# chmod 700 private
# touch index.txt
# echo 1000 > serial
== Prepare the configuration file ==
You must create a configuration file for OpenSSL:
vi ''/root/ca/openssl.cnf''
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = /root/ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key
certificate = $dir/certs/ca.crt
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See .
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg: your user, host, or server name)
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = FR
stateOrProvinceName_default = Bretagne
localityName_default = Thorigne-Fouillard
0.organizationName_default = Kerlink
organizationalUnitName_default = DSC
emailAddress_default = tda@kerlink.fr
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
== Create the Root key ==
# cd /root/ca
# openssl genrsa -aes256 -out private/ca.key 4096
Enter pass phrase for ca.key: secretpassword
Verifying - Enter pass phrase for ca.key: secretpassword
# chmod 400 private/ca.key
== Create the root certificate==
# cd /root/ca
# openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.crt
Enter pass phrase for ca.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name []: Bretagne
Locality Name []: Thorigne-Fouillard
Organization Name []: Kerlink
Organizational Unit Name []: DSC
Common Name []: Kerlink CA
Email Address []: tda@kerlink.fr
# chmod 444 certs/ca.crt
== Check the root certificate==
# openssl x509 -noout -text -in certs/ca.crt
# openssl verify -CAfile certs/ca.crt certs/ca.crt
=== VPN server Key & Certificate ===
== Create the server Key ==
# cd /root/ca/private
# openssl genrsa -aes256 -out server.key 2048
# chmod 400 server.key
== Create the server Certificate ==
# cd /root/ca/csr
# openssl req -config ../openssl.cnf -key ../private/server.key -new -sha256 -out server.csr
Enter pass phrase for server.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name []:Bretagne
Locality Name []:Thorigne-Fouillard
Organization Name []:Kerlink
Organizational Unit Name []:DSC
Common Name []:server
Email Address []:tda@kerlink.fr
=== Generate the server Certificate ===
# cd /root/ca/certs
# openssl ca -config ../openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in server.csr -out server.crt
# chmod 444 server.crt
=== Check the server Certificate ===
# cd /root/CA/certs/
# openssl verify -CAfile ca.crt server.crt
=== Client Key & Certificate ===
== Create the Client Key ==
# cd /root/ca/private
# openssl genrsa -aes256 -out client.key 2048
# chmod 400 client.key
== Create the Client Certificate ==
# cd /root/ca/cert
# openssl req -config ../openssl.cnf -key ../private/client.key -new -sha256 -out client.csr
Enter pass phrase for client.key: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:FR
State or Province Name []:Bretagne
Locality Name []:Thorigne-Fouillard
Organization Name []:Kerlink
Organizational Unit Name []:DSC
Common Name []:client
Email Address []:tda@kerlink.fr
=== Generate the client Certificate ===
# cd /root/ca/certs
# openssl ca -config ../openssl.cnf \
-extensions usr_cert -days 375 -notext -md sha256 \
-in client.csr \
-out client.crt
# chmod 444 client.crt
=== Check the client Certificate ===
# cd /root/ca/certs/
# openssl verify -CAfile ca.crt client.crt
=== Generate the Diffie-Hellman (DH) parameters ===
# cd /root/ca
# openssl dhparam -out dh2048.pem 2048
\\
\\
==== EasyRSA ====
=== Installation in your Ubuntu environment ===
# sudo apt install openvpn easy-rsa
# cp -a /usr/share/easy-rsa /root/easy-rsa
=== Root certification authority ====
== Prepare the configuration file ==
# mv vars.example vars
Edit the file and modify the following parameters :
# Choices are:
# cn_only - use just a CN value
# org - use the "traditional" Country/Province/City/Org/OU/email/CN format
set_var EASYRSA_DN "org"
# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate. Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)
set_var EASYRSA_REQ_COUNTRY "FR"
set_var EASYRSA_REQ_PROVINCE "Bretagne"
set_var EASYRSA_REQ_CITY "Thorigne-Fouillard"
set_var EASYRSA_REQ_ORG "Kerlink"
set_var EASYRSA_REQ_EMAIL "tda@kerlink.fr"
set_var EASYSA_REQ_OU "DSC"
# ./easyrsa init-pki
== Create the CA certificate ==
# ./easyrsa build-ca
Generating a 2048 bit RSA private key
.............................+++
................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Bretagne]:
Locality Name (eg, city) [Thorigne-Fouillard]:
Organization Name (eg, company) [kerlink]:
Organizational Unit Name (eg, section) [DSC]:
Common Name (eg, your name or your server's hostname) []: CA
Name []: Kerlink CA
Email Address [tda@kerlink.fr]:
Use default values and just define the CN and name.
=== VPN server Key & Certificate ===
# ./easyrsa gen-req server nopass
Generating a 2048 bit RSA private key
.........+++
............................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Bretagne]:
Locality Name (eg, city) [Thorigne-Fouillard]:
Organization Name (eg, company) [kerlink]:
Organizational Unit Name (eg, section) [DSC]:
Common Name (eg, your name or your server's hostname) []:server
Name []: server
Email Address [tda@kerlink.fr]:
Keypair and certificate request completed. Your files are:
req: /root/easy-rsa/pki/reqs/server.req
key: /root/easy-rsa/pki/private/server.key
=== Sign the server Certificate Signature Request (CSR) ===
# ./easyrsa sign-req server server
=== Client Key & Certificate Request ===
The option build-client-full nopass generates a client certificate and key.
# ./easyrsa build-client-full client1 nopass
=== Generate Diffie-Hellman (DH) parameters ===
# ./easyrsa gen-dh
\\
\\
==== P12 Packaging (PKCS#12) ====
It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key. \\
This will be referenced in the ''pkcs12 '' directive in the server and client's configuration file.
The Wirnetâ„¢ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
For the server:
# openssl pkcs12 -export -inkey private/server.key -in certs/server.crt -certfile certs/ca.crt -out server.p12
Enter Export Password:
Verifying - Enter Export Password:
The password will have to be entered in the server configuration file (''server-openvpn.conf'') using the ''askpass'' directive.
For the client:
# openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12
Enter Export Password:
Verifying - Enter Export Password:
The password will have to be entered in the client configuration file (''client-openvpn.conf'') using the ''askpass'' directive.
\\
\\
Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/.
\\
===== Useful links =====
[[https://jamielinux.com/docs/openssl-certificate-authority/introduction.html]] explains how to create a PKI with OpenSSL. \\
[[https://github.com/OpenVPN/easy-rsa|EasyRSA]] EasyRSA GITHub. \\
[[https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/]] explains how to use EasyRSA to create a PKI (applicable to Ubuntu 14.04).\\
[[https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04-fr]] explains how to use EasyRSA to create a PKI (applicable to Ubuntu 20.04)(french).\\
[[https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts]] explains how to create a PKI using Easy-RSA (applicable to Ubuntu 20.04)(english).\\
[[https://stackoverflow.com/questions/21141215/creating-a-p12-file]] explains how to create a PKCS#12 (P12) archive.