====== VPN - PKI management ======

The following are command examples that may be used to create secrets for the VPN connection.

It is assumed that these commands are typed on the server on which the VPN daemon will be installed.

===== IPsec / strongswan =====

==== Root certification authority =====

First, create a root certification authority. This will be used to sign the VPN and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).

<code bash>
# Work in /etc/ipsec.d
cd /etc/ipsec.d

# Create a 4096 bit private key
ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem
chmod 600 private/rootca.pem

# Create a 10 year certificate
ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem
</code>

==== VPN server certificate ====

Then, create a certificate and private key that will be used by the VPN server:

<code bash>
# Create a 2048 bit VPN private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem
chmod 600 private/vpnkey.pem

# Create a 2 year VPN certificate
ipsec pki --pub --in private/vpnkey.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem
</code>

==== Client certificates ====

Still, on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.

<code bash>
# Create a 2048 bit client private key
ipsec pki --gen --type rsa --size 2048 --outform pem >private/ibts_060434.pem
chmod 600 private/ibts_060434.pem

# Create a 2 year client certificate
ipsec pki --pub --in private/ibts_060434.pem --type rsa \
    | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-lpbs-060434" --outform pem > certs/ibts_060434.pem
</code>

==== P12 Packaging ====

The Wirnet iBTS and iFemtoCell use the secrets in a PKCS#12 encoded file. To generate one ''.p12'' file from the generated certificates/keys:

<code bash>
openssl pkcs12 -export -inkey private/ibts_060434.pem -in certs/ibts_060434.pem -name "iBTS 0x2e060434" -certfile cacerts/rootca.pem -caname "Kerlink root CA" -out ibts_060434.p12
Enter Export Password:
Verifying - Enter Export Password:
</code>

The password will have to be entered in the client configuration file (the one that is ciphered, see [[wiki:network_mana:vpn_client#provencore_configuration|Setting up the VPN client]]).

===== OpenVPN =====

[[https://github.com/OpenVPN/easy-rsa|EasyRSA]] can be used to quickly generate secrets for the VPN server.

It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the ''pkcs12 <file>'' directive of the server configuration file.

A DH file has to be generated with

<code bash>
openssl dhparam -out dh2048.pem 2048
</code>

===== Next =====

Next step is [[ wiki:network_mana:vpn_server|VPN server configuration]].