Differences
This shows you the differences between two versions of the page.
— |
docs:easyrsa_ca [2018/12/28 21:57] (current) hawk created |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | It is a good idea to setup your own certificate authority for example to issue certificates for VPN/WiFi clients. Best way to do it is to use Easy RSA. Lets start by installing easy-rsa package: | ||
+ | |||
+ | # poldek -ivh easy-rsa | ||
+ | |||
+ | Create directory for your CA, here we will keep it in ///root/CA//, but any path will do: | ||
+ | |||
+ | # mkdir /root/CA | ||
+ | |||
+ | Copy Easy RSA to your directory, go to it and rename vars.example: | ||
+ | |||
+ | # cp -r /usr/share/easy-rsa/* /root/CA/ | ||
+ | # cd /root/CA/ | ||
+ | # mv vars.example vars | ||
+ | |||
+ | Now we need to configure this CA. Edit vars file and uncomment/change options to fit your needs. We advice to change at least two of them: | ||
+ | |||
+ | set_var EASYRSA_KEY_SIZE 4096 | ||
+ | set_var EASYRSA_DIGEST "sha512" | ||
+ | |||
+ | This will set default key size to 4096 bytes and set crypto digest to sha512. | ||
+ | |||
+ | We are ready to initialize PKI directory and build our CA: | ||
+ | |||
+ | # ./easy-rsa init-pki | ||
+ | # ./easy-rsa build-ca | ||
+ | |||
+ | Now enter password for CA key and name of your CA. Thats all. Your own CA is ready to use. Lets create your first certificate request: | ||
+ | |||
+ | # ./easy-rsa gen-req your.server.com | ||
+ | |||
+ | Enter password for certificate key and fill in certificate data. When done sign this request creating 'server' certificate: | ||
+ | |||
+ | # ./easy-rsa sign-req server your.server.com | ||
+ | |||
+ | Follow on screen instructions and thats it. | ||
+ | |||
+ | And here is example command to create wildcard certificate for your server: | ||
+ | |||
+ | # ./easyrsa --batch --req-cn=example.org gen-req example.org nopass | ||
+ | # ./easyrsa --batch --subject-alt-name='DNS:*.example.org,DNS:example.org' sign-req server example.org | ||