Notes PKI EasyRSA OpenVPN

Voir :

• Notes PKI

sudo apt-get install easy-rsa
make-cadir vpnpki
cd vpnpki

vars

export KEY_COUNTRY="FR"
export KEY_PROVINCE="FR"
export KEY_CITY="Paris"
export KEY_ORG="Acme"
export KEY_EMAIL="nospam@me.fr"
export KEY_OU="Acme"

(sur les versions plus récentes ?) vars

set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"

source ./vars
./clean-all
unlink clean-all
ln -s openssl-1.0.0.cnf openssl.cnf

./build-dh

./build-ca

Les “Common Name” doivent être unique

“A challenge password” doit être laissé vide (pas de mdp nécessaire pour revoquer le cerificat)

./build-key-server nom_serveur_fqdn

Pour Nginx notamment

cat keys/nom_serveur_fqdn.crt keys/ca.crt > /etc/nginx/ssl/nom_serveur_fqdn.crt+chain

./build-key --batch nom_client

Création du fichier crl.pem (Crash si crl.pem a une taille zero)

export KEY_CN=''
export KEY_ALTNAMES=''
 
openssl ca -gencrl -out keys/crl.pem -config openssl-1.0.0.cnf
 
unset KEY_CN KEY_ALTNAMES

---

#export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_CONFIG="$EASY_RSA/openssl.cnf"
 
source vars
./clean-all
 
#initialize root ca; give it a cert with cn=rootca
KEY_CN=rootca
KEY_NAME=rootca
./pkitool --initca rootca
 
#build intermediate ca, with name interca
KEY_CN=interca
KEY_NAME=interca
./pkitool --inter interca 
 
#now copy vars for intermediate ca
cp vars inter_ca_vars
#... and edit them for use for endpoints (clients/servers):
nano inter_ca_vars
 
nano inter_ca_vars
#edit place where keys are stored
# intermediate ca has separate key directory
export KEY_DIR="$EASY_RSA/intercakeys"
#edit to set up end user certs
export KEY_CN=EndPoint
export KEY_NAME=EndPoint
export KEY_OU=host.domain_endpoint_division
 
source ./inter_ca_vars
./clean-all
 
./build-dh
 
# generates several files in /etc/openvpn/easy-rsa/intercakeys:
# export-ca.crt
./inherit-inter /home/jibe/tmp/pki/keys interca
 
./pkitool --server openvpnserver

Using Common Name: openvpnserver
Error Loading extension section server
139680895010448:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:x509v3/v3_utl.c:370:
139680895010448:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:x509v3/v3_conf.c:146:name=subjectAltName,section=
139680895010448:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:x509v3/v3_conf.c:97:name=subjectAltName, value=