Differences

This shows you the differences between two versions of the page.

Link to this comparison view

docs:easyrsa_ca [2018/12/28 21:57] (current)
hawk created
Line 1: Line 1:
 +It is a good idea to setup your own certificate authority for example to issue certificates for VPN/WiFi clients. Best way to do it is to use Easy RSA. Lets start by installing easy-rsa package:
 +
 +  # poldek -ivh easy-rsa
 +
 +Create directory for your CA, here we will keep it in ///​root/​CA//,​ but any path will do:
 +
 +  # mkdir /root/CA
 +
 +Copy Easy RSA to your directory, go to it and rename vars.example:​
 +
 +  # cp -r /​usr/​share/​easy-rsa/​* /root/CA/
 +  # cd /root/CA/
 +  # mv vars.example vars
 +
 +Now we need to configure this CA. Edit vars file and uncomment/​change options to fit your needs. We advice to change at least two of them:
 +
 +  set_var EASYRSA_KEY_SIZE 4096
 +  set_var EASYRSA_DIGEST "​sha512"​
 +
 +This will set default key size to 4096 bytes and set crypto digest to sha512.
 +
 +We are ready to initialize PKI directory and build our CA:
 +
 +  # ./easy-rsa init-pki
 +  # ./easy-rsa build-ca
 +
 +Now enter password for CA key and name of your CA. Thats all. Your own CA is ready to use. Lets create your first certificate request:
 +
 +  # ./easy-rsa gen-req your.server.com
 +
 +Enter password for certificate key and fill in certificate data. When done sign this request creating '​server'​ certificate:​
 +
 +  # ./easy-rsa sign-req server your.server.com
 +
 +Follow on screen instructions and thats it.
 +
 +And here is example command to create wildcard certificate for your server:
 +
 +  # ./easyrsa --batch --req-cn=example.org gen-req example.org nopass
 +  # ./easyrsa --batch --subject-alt-name='​DNS:​*.example.org,​DNS:​example.org'​ sign-req server example.org
  
© TLD Linux