{{tag>Brouillon PKI}}

= Notes PKI EasyRSA OpenVPN

Voir :
* [[Notes PKI]]

<code bash>
sudo apt-get install easy-rsa
make-cadir vpnpki
cd vpnpki
</code>

''vars''
<code bash>
export KEY_COUNTRY="FR"
export KEY_PROVINCE="FR"
export KEY_CITY="Paris"
export KEY_ORG="Acme"
export KEY_EMAIL="nospam@me.fr"
export KEY_OU="Acme"
</code>

(sur les versions plus récentes ?)
''vars''
<code bash>
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
</code>

<code bash>
source ./vars
./clean-all
unlink clean-all
ln -s openssl-1.0.0.cnf openssl.cnf
</code>

<code bash>
./build-dh
</code>

<code bash>
./build-ca
</code>

Les "Common Name" doivent être unique

"A challenge password" doit être laissé vide (pas de mdp nécessaire pour revoquer le cerificat)

<code bash>
./build-key-server nom_serveur_fqdn
</code>

Pour Nginx notamment
<code bash>
cat keys/nom_serveur_fqdn.crt keys/ca.crt > /etc/nginx/ssl/nom_serveur_fqdn.crt+chain
</code> 

<code bash>
./build-key --batch nom_client
</code>

Création du fichier crl.pem (Crash si crl.pem a une taille zero)
<code bash>
export KEY_CN=''
export KEY_ALTNAMES=''

openssl ca -gencrl -out keys/crl.pem -config openssl-1.0.0.cnf

unset KEY_CN KEY_ALTNAMES
</code>

---------------------

<code bash>
#export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_CONFIG="$EASY_RSA/openssl.cnf"

source vars
./clean-all

#initialize root ca; give it a cert with cn=rootca
KEY_CN=rootca
KEY_NAME=rootca
./pkitool --initca rootca

#build intermediate ca, with name interca
KEY_CN=interca
KEY_NAME=interca
./pkitool --inter interca 

#now copy vars for intermediate ca
cp vars inter_ca_vars
#... and edit them for use for endpoints (clients/servers):
nano inter_ca_vars

nano inter_ca_vars
#edit place where keys are stored
# intermediate ca has separate key directory
export KEY_DIR="$EASY_RSA/intercakeys"
#edit to set up end user certs
export KEY_CN=EndPoint
export KEY_NAME=EndPoint
export KEY_OU=host.domain_endpoint_division

source ./inter_ca_vars
./clean-all

./build-dh

# generates several files in /etc/openvpn/easy-rsa/intercakeys:
# export-ca.crt
./inherit-inter /home/jibe/tmp/pki/keys interca

./pkitool --server openvpnserver
</code>
<code ->
Using Common Name: openvpnserver
Error Loading extension section server
139680895010448:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:x509v3/v3_utl.c:370:
139680895010448:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:x509v3/v3_conf.c:146:name=subjectAltName,section=
139680895010448:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:x509v3/v3_conf.c:97:name=subjectAltName, value=
</code>