Reading Time: 2 minutes

Last edit: 4/19/2024

Easy-RSA is OpenSource Certificate Management system.

I am going to post some short hand notes regarding this. It’s too important not to know. I have no idea why I haven’t worked with this more in the past. However this is deserving of more than what I have here for the immediate two seconds. However I would rather have something than nothing. I will put a date above to help shame myself. 🙂

This is going to bring up some important concepts like reviewing / managing CAs for your environment.

Forward: EASY-RSA co-exists with the OpenVPN code they are not broken into separate repositories. Don’t let this deter you. Another thumbs up to digital oceans. Most of the stuff below will be for installing easy-rsa on Ubuntu. If your not on Ubuntu I am guessing you can pull what you need from the github repository noted below.


Installation is easy and is a two step process. Step 1: we install the binaries. Step 2: we initialize the CA and create the root CA.

Step 1: Install the binaries

We can use APT to install easy-rsa from the base Ubuntu repositories.

sudo apt update
sudo apt install openvpn easy-rsa

Step 2: Initialize the CA

Now it’s a matter of creating a directory to “manage” the deployment. This “management” directory holds all the files and configurations used to configure your Certificate Authority (CA)

The following script shows how one might create the initial configuration.
Please note, in this case, the user I am using to create this is one named “ubuntu” so this is being create in /home/ubuntu….

 mkdir ~/easy-rsa
 ln -s /usr/share/easy-rsa/* ~/easy-rsa/
 chmod 700 /home/ubuntu/easy-rsa
 cd ~/easy-rsa
 ./easyrsa init-pki
 ls -al
 nano vars
 ./easyrsa build-ca

Your Done. 🙂

# Using Easy-RSA

Now let’s discuss how to use Easy RSA. In this example we are going to create First Certificate

Let’s say you were going to create a certificate for Rancher. I am going to use the following short hand to symbolize pasting in the “rancher” CSR.

cd /tmp
vi rancher-server.req

Now that we have the CSR on the box we can use Easy-RSA to sign the CSR.

cd easy-rsa/
./easyrsa import-req /tmp/rancher-server.req rancher-server
./easyrsa sign-req server rancher-server


A default location for certs on ubuntu is: /etc/ssl/certs


start here url:

This entry was posted in Certificate. Bookmark the permalink.