Easy-RSA – Install – CORE STUDY

Reading Time: 2 minutes

Last edit: 5/28/2024

Easy-RSA is OpenSource Certificate Management system.

I am going to post some short hand notes regarding this. It’s too important not to know. I have no idea why I haven’t worked with this more in the past. However this is deserving of more than what I have here for the immediate two seconds. However I would rather have something than nothing. I will put a date above to help shame myself. 🙂

This is going to bring up some important concepts like reviewing / managing CAs for your environment.

Forward: EASY-RSA co-exists with the OpenVPN code they are not broken into separate repositories. Don’t let this deter you. Another thumbs up to digital oceans. Most of the stuff below will be for installing easy-rsa on Ubuntu. If your not on Ubuntu I am guessing you can pull what you need from the github repository noted below.

Install

Installation is easy and is a two step process. Step 1: we install the binaries. Step 2: we initialize the CA and create the root CA.

Step 1: Install the binaries

We can use APT to install easy-rsa from the base Ubuntu repositories.

sudo apt update
sudo apt install openvpn easy-rsa

Step 2: Initialize the CA

Now it’s a matter of creating a directory to “manage” the deployment. This “management” directory holds all the files and configurations used to configure your Certificate Authority (CA)

The following script shows how one might create the initial configuration.
Please note, in this case, the user I am using to create this is one named “ubuntu” so this is being create in /home/ubuntu….

 mkdir ~/easy-rsa
 ln -s /usr/share/easy-rsa/* ~/easy-rsa/
 chmod 700 /home/ubuntu/easy-rsa
 cd ~/easy-rsa
 ./easyrsa init-pki
 ls -al
 nano vars
 ./easyrsa build-ca

Your Done. 🙂


Just a quick reminder; assuming we unpacked this in /home/ubuntu then there would be a /home/ubuntu/easy-rsa/pki folder with a file named ca.crt

-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIULGWCbcob/MNhCqocZAaCObijzhowDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjExMjI3MjA0NTEwWhcNMzEx
MjI1MjA0NTEwWjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOW44PWrK1o2ylePb3m9hYdFi0GLQK19iltggwyJ
rJgn4ruo8xbziVkzOPq/nlDO7zsheFO4pNbdei5OpuaT7On5UNQwCdJhzgjA4LhK
IW1Qg35vSqnIsncNMW9UzNe6AVHt8PYkMdSZabK1zYHSi8JwjlFk0j5CjvbTiFmG
CG2EcTvT+2/VYMS57azkDP4wY99yWb/qy3Hxg1uidODIRu5FfwCvIcv/3Jbnskmc
j5sUQjQctJtZyRedQR9od20Z17wmboDTAcp+yBmWahmS/QfwdtJgTtxwEkdr359W
HsmEPQJVOdUo0jI4V1pNsW6lol73wfTsP87JIHp92K7Via0CAwEAAaOBkDCBjTAd
BgNVHQ4EFgQUi0ktLO2RxNaj2xk6XH95MINLkMswUQYDVR0jBEowSIAUi0ktLO2R
xNaj2xk6XH95MINLkMuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghQsZYJt
yhv8w2EKqhxkBoI5uKPOGjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEANYVyNJPTV4/KoSg0okpjLYnqqzSHjWJsEWUtOw88Ay2T
jUqLPBUSKu9j6uyq1o41v/mL+pCCnLcg2jaw2T/6JUoT/Am7YnNGFPotY9SOaFbq
mqplmHBWrhdNuTVn1va6v01+vl+vw6wD7+uIZYRCa+JydF4Dvi6E5dwBrs3RMcFJ
SFMLM6gBBENocEeQfpgmb+cJMOLJ3GJP9AGWGcT9wtwKQOC+jD+Qou1+BSMU1xu3
thnxdX/7WI594zL1uU4DUZJDLIvUXqkwTG2+p1RPtI3+rl93nR8xfelSTfoxRaU3
dokl1fKrlU6gCSC6IAHf9TrwGOuOXTpK5RsUy+5KhQ==
-----END CERTIFICATE-----

Choice portions of the decoding would look as found below.. This is extremely edited for size as this is a long listing.

root@easy-rsa:/home/ubuntu/easy-rsa/pki# openssl x509 -in ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2c:65:82:6d:ca:1b:fc:c3:61:0a:aa:1c:64:06:82:39:b8:a3:ce:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Easy-RSA CA
        Validity
            Not Before: Dec 27 20:45:10 2021 GMT
            Not After : Dec 25 20:45:10 2031 GMT
        Subject: CN = Easy-RSA CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Remember this is the CAs cert. This cert you might have to give to workstations so that generated certs are trusted. Probably the cert you commonly use, and I will name GoDaddy would have a cert stored in your “Trusted CA” store.


# Using Easy-RSA

Please see example usage case such as with S3 and Minio.

url:
https://github.com/OpenVPN/easy-rsa
https://easy-rsa.readthedocs.io/en/latest/
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04

This entry was posted in Certificate. Bookmark the permalink.