Easy-rsa

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Realized on Debian 8 (Jessie).
  • easy-rsa version : 2.2.2-1

Goal of this page is to provide a simple guide to create SSL certificates and a simple CA with easy-rsa.

Configuration

Installation

aptitude install easy-rsa

CA creation

make-cadir pki-example
cd pki-example
  • Edit vars file, change those values
export KEY_SIZE=4096

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="FR"
export KEY_PROVINCE="IDF"
export KEY_CITY="Paris"
export KEY_ORG="example"
export KEY_EMAIL="admin@example.com"
export KEY_OU="techUnit"
  • Now build the CA
source vars
./clean-all
./build-ca

#---

Generating a 4096 bit RSA private key
.......+++
........................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [IDF]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [techUnit]:
Common Name (eg, your name or your server's hostname) [example CA]:ca.example.com
Name [EasyRSA]:
Email Address [admin@example.com]:
  • Files created
    • ./keys/ca.crt
    • ./keys/ca.key

Create a server certificate

cd /path/to/ca-dir
source vars
./build-key-server wildcard.example.com

#---
Generating a 2048 bit RSA private key
.........+++
.............................................+++
writing new private key to 'wildcard.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [IDF]:
Locality Name (eg, city) [Paris]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) [techUnit]:
Common Name (eg, your name or your server's hostname) [wildcard.example.com]:*.example.com
Name [EasyRSA]:
Email Address [admin@example.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/pki-example/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'FR'
stateOrProvinceName   :PRINTABLE:'IDF'
localityName          :PRINTABLE:'Paris'
organizationName      :PRINTABLE:'example'
organizationalUnitName:PRINTABLE:'techUnit'
commonName            :T61STRING:'*.example.com'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'admin@example.com'
Certificate is to be certified until Mar  7 09:10:34 2026 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  • Files created
    • ./keys/wildcard.example.com.crt
    • ./keys/wildcard.example.com.key
    • ./keys/wildcard.example.com.csr

Sources

Elliot
techUnit's cofounder