-
Notifications
You must be signed in to change notification settings - Fork 2
Easy-RSA 2.x based on original Easy-RSA 2.0 with support for OpenVPN profiles generation
License
serhepopovych/easy-rsa
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Easy-RSA 2.x based on original Easy-RSA 2.0-rc1 found in OpenVPN 2.x branch =========================================================================== From easy-rsa/README-2.0: ------------------------- This is a small RSA key management package, based on the openssl command line tool, that can be found in the easy-rsa subdirectory of the OpenVPN distribution. While this tool is primary concerned with key management for the SSL VPN application space, it can also be used for building web certificates. This work initially based on original EASY-RSA 2.0-rc1 found in openvpn-2.2.1 package from Debian GNU/Linux 7.x (wheezy). However development is moved then to https://github.com/OpenVPN/easy-rsa/tree/release/2.x which is closed now. Main objectives for this reimplementation are following: -------------------------------------------------------- o Support CRL for intermediate CAs at any depth o Support for multiple subjectAltName (Subject Alternative Names, SAN) o Seamless certificate reissue with same subjectName and private key o OpenVPN profile (file.ovpn) for Android/iOS/MacOS/Windows clients and config directory for Linux/BSD systems (both client and server) o Lighttpd with TLS/SSL and mod_secdownload support for secure client/server certificates (not implemented, PKCS#12 could be used for this purpose as single container for everything), CA certificate, CRLs and OpenVPN profiles/configuration (primary focus) distribution to end users o Multi-user support (could be useful for study purposes) o RSA 2048 bit keys and SHA256 by default o Revised security. Passwords passed via environment, sane filesystem permissions and ownership, private keys always encrypted with random passphrase generated from /dev/urandom, helper to run CA commands in pristine environment o Helpers to list OpenSSL index.txt certificate database o Arhcive expired certificates to keep index.txt small automatically o Misc improvements and bugfixes to pkitool a core utility Installation ------------ Use standard installsh steps: $ cd /tmp $ git clone --recursive https://github.com/serhepopovych/easy-rsa $ cd easy-rsa $ sudo -i \ fqdn='easy-rsa.example.com' \ hostname='easy-rsa' \ domain='example.com' \ users='certmgr user1 user2' \ ./deploy.sh -d 'opt' \ # Since easy-rsa supports multiuser configurations, no user by default has preconfigured easy-rsa/ in it's home directory at creation time because no easy-rsa/ installed in /etc/skel, you must manually copy skeleton from <install_dir>/easy-rsa/skel/* to user home directory: Note that on SELinux enforced systems (e.g. RHEL/CentOS) you need to add following configuration: # Make sure policycoreutils installed $ sudo yum install -y policycoreutils # Allow setrlimit for lighttpd process $ sudo setsebool -P httpd_setrlimit 1 # Allow access to user home directories for mod_userdir $ sudo setsebool -P httpd_read_user_content 1 # Make sure policycoreutils-python or # policycoreutils-python-utils installed $ sudo yum install policycoreutils-python || \ sudo yum install policycoreutils-python-utils # Allow lighttpd to execute xbin/* and xbin/mod/*/* helpers $ cd ~ $ cat >comm_lighttpd_users_conf_sh.te <<'_EOF' module comm_lighttpd_users_conf_sh 1.0; require { type httpd_config_t; type httpd_t; class file { execute execute_no_trans }; } #============= httpd_t ============== allow httpd_t httpd_config_t:file { execute execute_no_trans }; _EOF $ checkmodule -M -m -o comm_lighttpd_users_conf_sh.mod \ comm_lighttpd_users_conf_sh.te $ semodule_package -o comm_lighttpd_users_conf_sh.pp -m \ comm_lighttpd_users_conf_sh.mod $ sudo semodule -r comm_lighttpd_users_conf_sh $ sudo semodule -i comm_lighttpd_users_conf_sh.pp Usage ----- $ /opt/easy-rsa/exec-ca --help usage: /opt/easy-rsa/exec-ca [NAME=VAL...] [options] [--] <ca> <command> [<args> ...] options : options for exec-ca --runas run as specified user instead of current (i.e. $USER) --help|--usage this help message --version this program version ca : the CA directory (KEY_DIR) of the PKI to run command on command : command to run with PKI environment read from vars-<ca> args : (optional) arguments to <command> Example: /opt/easy-rsa/exec-ca webCA build-ca (build webCA) /opt/easy-rsa/exec-ca webCA (execute $SHELL with environment from vars-webCA) $ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA ovpn-mkconfig-client --help Usage: mkconfig [options] <CommonName> Options: --remote : Remote OpenVPN peer hostname or IP address --port : Port to use on remote OpenVPN host (default: 1194) --proto : Protocol used to connect to peer (default: udp) --mode : Mode used to connect to peer (default: client) --instance : Instance name to use as subdirectory name (default: --mode) --newkey : Force new private key creation (default: no) --help|--usage : This help message --version : This program version <CommonName> is a X.509 "Common Name" used to distinguish peer. It can be either hostname when --mode is "server" or legal name of user when --mode is "client". Examples -------- # Build self-signed RootCA certificate $ /opt/easy-rsa/exec-ca KEY_CN='Example.Net RootCA' --runas certmgr -- \ RootCA build-ca --keysize 4096 RootCA # Build child CAs: webCA and ovpnCA $ /opt/easy-rsa/exec-ca \ KEY_CN='OpenVPN Intermediate CA' --runas certmgr -- \ RootCA build-inter --keysize 4096 ovpnCA $ /opt/easy-rsa/exec-ca \ KEY_CN='WebServices Intermediate CA' --runas certmgr -- \ RootCA build-inter --keysize 4096 webCA # Build OpenVPN server certificate, profile and configuration $ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \ ovpn-mkconfig-server 'vpn.example.net' # Build OpenVPN client certificate and profile $ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \ ovpn-mkconfig-client 'Test user' # Remove all certificates (including CA certificate itself) issued # by this and all child CAs; cleans up index.txt database $ /opt/easy-rsa/exec-ca --runas certmgr -- RootCA clean-all # Enter interactive shell with pristine environment and $PATH # pointing to /opt/easy-rsa and extensions/xbin. $ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA # list certificates issued by authority (from openssl index.txt file) easy-rsa:ovpnCA> list-index-txt # show CRL (Certificate Revocation List) easy-rsa:ovpnCA> list-crl # build OpenVPN client certificate and profile easy-rsa:ovpnCA> ovpn-mkconfig-client 'Test user2' # revoke previously build OpenVPN client certificate easy-rsa:ovpnCA> revoke-full 'Test user2'
About
Easy-RSA 2.x based on original Easy-RSA 2.0 with support for OpenVPN profiles generation
Topics
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published