Creating your own Certificate Authority
The tools
The FreeBSD Port for OpenVPN installs "a small RSA key management package based on the openssl command line tool". This package is provided by the OpenVPN project and can be found at /usr/local/share/doc/openvpn/easy-rsa/.
I recommend copying this to another location as you will be altering some files.
cp -rp /usr/local/share/doc/openvpn/easy-rsa ~/
cd ~/easy-rsa
This article is based upon the README located in that directory. And upon a few hours of not understanding the subtle steps involved.
The setup
The README says to edit vars and set KEY_SIZE and KEY_DIR. I left them unchanged. This puts the keys into the keys sub-directory.
I also set these values, as found at the end of the file:
export KEY_COUNTRY=US
export KEY_PROVINCE=PA
export KEY_CITY=Warrington
export KEY_ORG="The FreeBSD Diary"
export KEY_EMAIL="dan@example.org"
You need to invoke the vars file before carrying out any of the remaining steps. You only need to invoke vars once per session. You will know that you have not invoked vars this session if you see this message:
you must define KEY_DIR
To invoke the vars, issue this command (the leading . is significant):
. vars
When first starting out with your CA, you need to run this command. Note that it will remove the keys subdirectory along with any keys that you have created. Use with caution. This command sets up some variables used by later processed.
./clean-all
Create your CA
To create your CA, issue this command (the bits I typed are in bold):
$ ./build-ca
Generating a 1024 bit RSA private key
..........................++++++
......................................................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Warrington]:
Organization Name (eg, company) [The FreeBSD Diary]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address [dan@example.org]:
After the above, ca.crt and ca.key have been built in your KEY_DIR directory:
$ ls -l keys
total 6
-rw-r--r-- 1 dan dan 1151 Nov 27 19:01 ca.crt
-rw------- 1 dan dan 887 Nov 27 19:01 ca.key
-rw-r--r-- 1 dan dan 113 Nov 27 19:00 index.txt
-rw-r--r-- 1 dan dan 3 Nov 27 19:00 serial
Create the OpenVPN server certificate
In this step, we will create the certificate for your OpenVPN server. The build-key-server command will ensure the certificate is designated as a server-only certificate by setting nsCertType=server. This solution for that type of attack relies upon you using this line in your client openvpn.conf configuration files:
ns-cert-type server
This certificate will be used on your OpenVPN server, which in my example, is named myserver.example.com. To create a nsCertType=server certificate for your OpenVPN server, issue the following command:
$ ./build-key-server myserver.example.com
Generating a 1024 bit RSA private key
........++++++
........................................++++++
writing new private key to 'myserver.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Warrington]:
Organization Name (eg, company) [The FreeBSD Diary]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:myserver.example.com
Email Address [dan@example.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/dan/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'PA'
localityName :PRINTABLE:'Warrington'
organizationName :PRINTABLE:'The FreeBSD Diary'
commonName :PRINTABLE:'myserver.example.com'
emailAddress :IA5STRING:'dan@example.org'
Certificate is to be certified until Nov 25 19:19:09 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
You should now see files like this:
$ ls -l keys
total 24
-rw-r--r-- 1 dan dan 3592 Nov 27 19:19 01.pem
-rw-r--r-- 1 dan dan 1151 Nov 27 19:01 ca.crt
-rw------- 1 dan dan 887 Nov 27 19:01 ca.key
-rw-r--r-- 1 dan dan 113 Nov 27 19:19 index.txt
-rw-r--r-- 1 dan dan 21 Nov 27 19:19 index.txt.attr
-rw-r--r-- 1 dan dan 0 Nov 27 19:00 index.txt.old
-rw-r--r-- 1 dan dan 3592 Nov 27 19:19 myserver.example.com.crt
-rw-r--r-- 1 dan dan 700 Nov 27 19:19 myserver.example.com.csr
-rw------- 1 dan dan 887 Nov 27 19:19 myserver.example.com.key
-rw-r--r-- 1 dan dan 3 Nov 27 19:19 serial
-rw-r--r-- 1 dan dan 3 Nov 27 19:00 serial.old
Create the DIFFIE-HELLMAN parmaters for your server
This step creates the DIFFIE-HELLMAN parameters that will be required by your OpenVPN server.
$ ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
......................+........................................
...+...............................................+...........
..........................+....................................
...........+..................^[[B......+......................
.............................................+.................
............................................+..................
...........+...+...............................................
..............................................+................
..................................................+............
.........+...............................+...+.+...............
..................+..................................+.........
.+.....+.....................+.................................
.................................................+............+
............................................+..................
...............................................................
...................+..++*++*++*
This will create a file (keys/dh1024.pem) which will be used on your OpenVPN server.
Create a client certificate
This step will create a certificate that can be used by your OpenVPN client. In this case, we are creating a certificate to be used by the host client.example.com.
./build-key client.example.com
Generating a 1024 bit RSA private key
.++++++
...++++++
writing new private key to 'client.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [PA]:
Locality Name (eg, city) [Warrington]:
Organization Name (eg, company) [The FreeBSD Diary]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client.example.com
Email Address [dan@example.org]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/dan/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'PA'
localityName :PRINTABLE:'Warrington'
organizationName :PRINTABLE:'The FreeBSD Diary'
commonName :PRINTABLE:'client.example.com'
emailAddress :IA5STRING:'dan@example.org'
Certificate is to be certified until Nov 25 19:49:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Repeat
I suggest you get things running with one client first, then create certificates for other client.
Enjoy.
No comments:
Post a Comment