Overblog Suivre ce blog
Administration Créer mon blog
14 octobre 2013 1 14 /10 /octobre /2013 21:08

We'll be seeing here how to setup a Public Key Infrastructure, using Debian, with some explanations about the different terms and options used.

1. PKI quick reminder
We'll be creating :

a master Certificate Authority (CA) certificate and private key,
a certificate and private key pair for the Server and each Client.

It is good practice to generate a distinct client key per user, and name them as to identify the user or computer it will be installed in, in case of leave or loss.
Extra care should be taken while transfering private keys : encrypted channel, or USB drive.

Note : certificate are also named public keys.


2. Easy-RSA tools install

sudo apt-get install openvpn
sudo mkdir vpn
cd vpn
sudo cp -a /usr/share/doc/openvpn/examples/easy-rsa/2.0/* .

3. Variables setup

We'll setup the variables accordingly to our situation
sudo leafpad vars

here are the most important fields explained :

export KEY_SIZE=1024                                        Key strength, use 2048 for extra-strength

export KEY_COUNTRY="US"                               Organization Location : Country

export KEY_PROVINCE="VA"                                                                    Region
export KEY_CITY="Norfolk"                                                                       City

export KEY_ORG="FunStudios"                                            Organization Name
export KEY_EMAIL="contact@FunStudios.org"                     Organization contact email

export KEY_OU="Creation"                                                    OU ( ie department )


4. Keys Creation

sudo -i
. ./vars

[ ENTER ] will leave the default settings entered in vars. The only exception will be the CN :
Check you're using a unique CN.
If default is used, 'FunStudios CA' is proposed

./build-key-server server

( no challenge password )

[ ENTER ] will leave the default settings entered in vars.
CN : if default is used, 'server' is proposed

No options / two 'Yes' answer for confirmations

./build-key client_kevin
[ ENTER ] will leave the default settings entered in vars.
CN : if default is used, 'client_kevin' is proposed

No options / two 'Yes' answer for confirmations

( no challenge password )
(./build-key client_john )

[ ENTER ] will leave the default settings entered in vars.
CN : if default is used, 'client_john' is proposed

No options / two 'Yes' answer for confirmations

We generate the Diffie Hellman parameters
./build-dh ( nb : dot/build-dh
( creates the dh1024.pem file )


Once again, do note that all your CNs have to be differents

Some Explainations

The Challenge password:
The Challenge password is used internally, for various uses : key revocation, …. It is not to be confused with an encrypted key passphrase, which protects the key, and is needed at each key usage by a software to unlock the key.

To create passphrase encrypted keys :
To create passphrase encrypted keys , we use ./build-key-pass client_kevin
( instead of ./build-key client_kevin )

To create Windows-friendly keys :
To create Windows-friendly keys ( PKCS #12 format), we use :
./build-key-pkcs12 client_kevin
( instead of ./build-key client_kevin )

5. Keys management and Usage

the keys are in the /keys subfolder. There are :

for the server :

ca.crt Root                                      CA certificate
server.key                                       Server Key
server.crt                                        Server Certificate
dh1024.pem                                   Diffie Hellman parameters

for the clients :

ca.crt Root                                        CA certificate
client_kevin.crt                                 client_kevin certificate
client_kevin.key                                client_kevin key
client_john.crt                                   client_john certificate
client_john.key                                  client_john key

Let's sum up the different keys, their role, and their secrecy requirements :


VPN 12 : Setting up a Debian Public Key Infrastructure

Source : copied from chart on openvpn.net


Other files found in the /key subfolder :
server.csr, client_kevin.csr, client_john.csr
They are Certificate Signing Request files

Only .key files should be kept confidential, .csr and .crt files can be sent over insecure channels ( unencrypted ).
Normally, each computer will have its own certificate/key pair.

Source : openvpn.net

6. Adding clients later

. ./vars

./build-key-pass client_tom

( we don't clean the directory with ./clean-all ).
( ./build-key-pass allows to create a password-protected key )


Repost 0
Published by computer outlines - dans VPN PPTP OPENVPN
commenter cet article


  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact