Creación de una CA y certificados de servidor con easy-rsa

easy-rsa es una utilidad que nos viene con OpenVPN para facilitar la creación de los certificados. Aunque sea ofrecida cojuntamente con OpenVPN podemos usarla para cualquier otro software que requiera de ellos (Apache, Dovecot …)

Crearemos los certificados mediante easy-rsa (en /usr/local/etc/openvpn), por lo que llenaremos el fichero llamado vars con los valores por defecto:

cd /usr/local/etc/openvpn/
echo "export KEY_COUNTRY=ES" >> vars
echo "export KEY_PROVINCE=BARCELONA" >> vars
echo "export KEY_CITY=Barcelona" >> vars
echo "export KEY_ORG=\"systemadmin.es\"" >> vars
echo "export KEY_EMAIL=\"jordi@systemadmin.es\"" >> vars

Procedemos a crear una autoridad de certificación propia:

# . ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/keys
# ./clean-all
# ./build-ca
Generating a 1024 bit RSA private key
.............+................++++++
..........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:obacs-CA
Email Address [jordi@systemadmin.es]:
#

Creamos el certificado para el servidor y el firmamos con la CA que hemos creado en el paso anterior:

# ./build-key-server obacs.systemadmin.es
Generating a 1024 bit RSA private key
............++++++
............++++++
writing new private key to 'obacs.systemadmin.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:
State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:obacs.systemadmin.es
Email Address [jordi@systemadmin.es]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName            RINTABLE:'ES'
stateOrProvinceName    RINTABLE:'BARCELONA'
localityName           RINTABLE:'Barcelona'
organizationName       RINTABLE:'systemadmin.es'
commonName             RINTABLE:'obacs.systemadmin.es'
emailAddress          :IA5STRING:'jordi@systemadmin.es'
Certificate is to be certified until Oct 11 10:26:02 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Creamos también un certificado para el cliente y también lo firmamos con la CA creada:

# ./build-key cadi.systemadmin.es
Generating a 1024 bit RSA private key
...........++++++
.........................++....................................++++++
writing new private key to 'cadi.systemadmin.es.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ES]:

State or Province Name (full name) [BARCELONA]:
Locality Name (eg, city) [Barcelona]:
Organization Name (eg, company) [systemadmin.es]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:cadi.systemadmin.es
Email Address [jordi@systemadmin.es]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName            RINTABLE:'ES'
stateOrProvinceName    RINTABLE:'BARCELONA'
localityName           RINTABLE:'Barcelona'
organizationName       RINTABLE:'systemadmin.es'
commonName             RINTABLE:'cadi.systemadmin.es'
emailAddress          :IA5STRING:'jordi@systemadmin.es'
Certificate is to be certified until Oct 11 10:28:06 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#

Relacionados

• Usar chroot en OpenVPN
• Seguridad en redes wireless mediante OpenVPN (II)
• Seguridad en redes wireless mediante OpenVPN (I)
• Instalar un cliente OpenVPN en Windows
• Instalar un cliente OpenVPN en Linux