Skip to content

Easy-RSA 2.x based on original Easy-RSA 2.0 with support for OpenVPN profiles generation

License

Notifications You must be signed in to change notification settings

serhepopovych/easy-rsa

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Easy-RSA 2.x based on original Easy-RSA 2.0-rc1 found in OpenVPN 2.x branch
===========================================================================

From easy-rsa/README-2.0:
-------------------------

  This is a small RSA key management package, based on the openssl
  command line tool, that can be found in the easy-rsa subdirectory
  of the OpenVPN distribution.  While this tool is primary concerned
  with key management for the SSL VPN application space, it can also
  be used for building web certificates.

This work initially based on original EASY-RSA 2.0-rc1 found in openvpn-2.2.1
package from Debian GNU/Linux 7.x (wheezy). However development is moved then
to https://github.com/OpenVPN/easy-rsa/tree/release/2.x which is closed now.

Main objectives for this reimplementation are following:
--------------------------------------------------------
  o Support CRL for intermediate CAs at any depth
  o Support for multiple subjectAltName (Subject Alternative Names, SAN)
  o Seamless certificate reissue with same subjectName and private key
  o OpenVPN profile (file.ovpn) for Android/iOS/MacOS/Windows clients
    and config directory for Linux/BSD systems (both client and server)
  o Lighttpd with TLS/SSL and mod_secdownload support for secure
    client/server certificates (not implemented, PKCS#12 could be used
    for this purpose as single container for everything), CA certificate,
    CRLs and OpenVPN profiles/configuration (primary focus) distribution
    to end users
  o Multi-user support (could be useful for study purposes)
  o RSA 2048 bit keys and SHA256 by default
  o Revised security. Passwords passed via environment, sane filesystem
    permissions and ownership, private keys always encrypted with
    random passphrase generated from /dev/urandom, helper to run CA
    commands in pristine environment
  o Helpers to list OpenSSL index.txt certificate database
  o Arhcive expired certificates to keep index.txt small automatically
  o Misc improvements and bugfixes to pkitool a core utility

Installation
------------

Use standard installsh steps:

  $ cd /tmp
  $ git clone --recursive https://github.com/serhepopovych/easy-rsa
  $ cd easy-rsa
  $ sudo -i \
      fqdn='easy-rsa.example.com' \
      hostname='easy-rsa' \
      domain='example.com' \
      users='certmgr user1 user2' \
          ./deploy.sh -d 'opt' \
      #

Since easy-rsa supports multiuser configurations, no user by default has
preconfigured easy-rsa/ in it's home directory at creation time because
no easy-rsa/ installed in /etc/skel, you must manually copy skeleton
from <install_dir>/easy-rsa/skel/* to user home directory:

Note that on SELinux enforced systems (e.g. RHEL/CentOS) you need to add
following configuration:

  # Make sure policycoreutils installed
  $ sudo yum install -y policycoreutils

  # Allow setrlimit for lighttpd process
  $ sudo setsebool -P httpd_setrlimit 1

  # Allow access to user home directories for mod_userdir
  $ sudo setsebool -P httpd_read_user_content 1

  # Make sure policycoreutils-python or
  # policycoreutils-python-utils installed
  $ sudo yum install policycoreutils-python || \
    sudo yum install policycoreutils-python-utils

  # Allow lighttpd to execute xbin/* and xbin/mod/*/* helpers
  $ cd ~
  $ cat >comm_lighttpd_users_conf_sh.te <<'_EOF'

module comm_lighttpd_users_conf_sh 1.0;

require {
        type httpd_config_t;
        type httpd_t;
        class file { execute execute_no_trans };
}

#============= httpd_t ==============
allow httpd_t httpd_config_t:file { execute execute_no_trans };
_EOF
  $ checkmodule -M -m -o comm_lighttpd_users_conf_sh.mod \
      comm_lighttpd_users_conf_sh.te
  $ semodule_package -o comm_lighttpd_users_conf_sh.pp -m \
      comm_lighttpd_users_conf_sh.mod
  $ sudo semodule -r comm_lighttpd_users_conf_sh
  $ sudo semodule -i comm_lighttpd_users_conf_sh.pp

Usage
-----

$ /opt/easy-rsa/exec-ca --help
usage: /opt/easy-rsa/exec-ca [NAME=VAL...] [options] [--] <ca> <command> [<args> ...]

  options : options for exec-ca

    --runas   run as specified user instead of current (i.e. $USER)
    --help|--usage
              this help message
    --version this program version

  ca      : the CA directory (KEY_DIR) of the PKI to run command on
  command : command to run with PKI environment read from vars-<ca>
  args    : (optional) arguments to <command>

Example: /opt/easy-rsa/exec-ca webCA build-ca (build webCA)
         /opt/easy-rsa/exec-ca webCA (execute $SHELL with environment from vars-webCA)

$ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA ovpn-mkconfig-client --help
Usage: mkconfig [options] <CommonName>
Options:
  --remote   : Remote OpenVPN peer hostname or IP address
  --port     : Port to use on remote OpenVPN host (default: 1194)
  --proto    : Protocol used to connect to peer (default: udp)
  --mode     : Mode used to connect to peer (default: client)

  --instance : Instance name to use as subdirectory name (default: --mode)
  --newkey   : Force new private key creation (default: no)

  --help|--usage
             : This help message

  --version  : This program version

<CommonName> is a X.509 "Common Name" used to distinguish peer.
It can be either hostname when --mode is "server" or legal name
of user when --mode is "client".

Examples
--------

  # Build self-signed RootCA certificate
  $ /opt/easy-rsa/exec-ca KEY_CN='Example.Net RootCA' --runas certmgr -- \
      RootCA build-ca --keysize 4096 RootCA

  # Build child CAs: webCA and ovpnCA
  $ /opt/easy-rsa/exec-ca \
      KEY_CN='OpenVPN Intermediate CA' --runas certmgr -- \
      RootCA build-inter --keysize 4096 ovpnCA
  $ /opt/easy-rsa/exec-ca \
      KEY_CN='WebServices Intermediate CA' --runas certmgr -- \
      RootCA build-inter --keysize 4096 webCA

  # Build OpenVPN server certificate, profile and configuration
  $ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \
      ovpn-mkconfig-server 'vpn.example.net'

  # Build OpenVPN client certificate and profile
  $ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \
      ovpn-mkconfig-client 'Test user'

  # Remove all certificates (including CA certificate itself) issued
  # by this and all child CAs; cleans up index.txt database
  $ /opt/easy-rsa/exec-ca --runas certmgr -- RootCA clean-all

  # Enter interactive shell with pristine environment and $PATH
  # pointing to /opt/easy-rsa and extensions/xbin.
  $ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA

  # list certificates issued by authority (from openssl index.txt file)
  easy-rsa:ovpnCA> list-index-txt
  # show CRL (Certificate Revocation List)
  easy-rsa:ovpnCA> list-crl
  # build OpenVPN client certificate and profile
  easy-rsa:ovpnCA> ovpn-mkconfig-client 'Test user2'
  # revoke previously build OpenVPN client certificate
  easy-rsa:ovpnCA> revoke-full 'Test user2'

About

Easy-RSA 2.x based on original Easy-RSA 2.0 with support for OpenVPN profiles generation

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published