Easy-RSA - Install - CORE STUDY - GotITAdminGotITAdmin

Reading Time: 2 minutes

Last edit: 5/28/2024

Easy-RSA is OpenSource Certificate Management system.

I am going to post some short hand notes regarding this. It’s too important not to know. I have no idea why I haven’t worked with this more in the past. However this is deserving of more than what I have here for the immediate two seconds. However I would rather have something than nothing. I will put a date above to help shame myself. 🙂

This is going to bring up some important concepts like reviewing / managing CAs for your environment.

Forward: EASY-RSA co-exists with the OpenVPN code they are not broken into separate repositories. Don’t let this deter you. Another thumbs up to digital oceans. Most of the stuff below will be for installing easy-rsa on Ubuntu. If your not on Ubuntu I am guessing you can pull what you need from the github repository noted below.

Install

Installation is easy and is a two step process. Step 1: we install the binaries. Step 2: we initialize the CA and create the root CA.

Step 1: Install the binaries

We can use APT to install easy-rsa from the base Ubuntu repositories.

sudo apt update
sudo apt install openvpn easy-rsa

Step 2: Initialize the CA

Now it’s a matter of creating a directory to “manage” the deployment. This “management” directory holds all the files and configurations used to configure your Certificate Authority (CA)

The following script shows how one might create the initial configuration.
Please note, in this case, the user I am using to create this is one named “ubuntu” so this is being create in /home/ubuntu….

 mkdir ~/easy-rsa
 ln -s /usr/share/easy-rsa/* ~/easy-rsa/
 chmod 700 /home/ubuntu/easy-rsa
 cd ~/easy-rsa
 ./easyrsa init-pki
 ls -al
 nano vars
 ./easyrsa build-ca

Your Done. 🙂

Just a quick reminder; assuming we unpacked this in /home/ubuntu then there would be a /home/ubuntu/easy-rsa/pki folder with a file named ca.crt

Choice portions of the decoding would look as found below.. This is extremely edited for size as this is a long listing.

root@easy-rsa:/home/ubuntu/easy-rsa/pki# openssl x509 -in ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2c:65:82:6d:ca:1b:fc:c3:61:0a:aa:1c:64:06:82:39:b8:a3:ce:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Easy-RSA CA
        Validity
            Not Before: Dec 27 20:45:10 2021 GMT
            Not After : Dec 25 20:45:10 2031 GMT
        Subject: CN = Easy-RSA CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Remember this is the CAs cert. This cert you might have to give to workstations so that generated certs are trusted. Probably the cert you commonly use, and I will name GoDaddy would have a cert stored in your “Trusted CA” store.

# Using Easy-RSA

Please see example usage case such as with S3 and Minio.

url:
https://github.com/OpenVPN/easy-rsa
https://easy-rsa.readthedocs.io/en/latest/
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04

Easy-RSA – Install – CORE STUDY

Recent Posts