Last Updated: 8/21/2024
We are going to do this in a few steps.
Step 1: Create request for easy-rsa
First this we will do is create a text file some where, anywhere.. in this case I am naming the file request.cnf. That is important for creating the CSR file.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = Somestate
localityName = Boomtown
organizationName = Sparelabs Inc.
commonName = vault.sparelab.net
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = vault.sparelab.net
IP.1 = 192.168.160.24
Now we use the request.cnf file and we make an initial-request. Through this we end up with a private key.
root@vault:~# openssl req -out request.csr -newkey rsa:2048 -nodes -keyout private.key -config request.cnf
...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+.+..............+......+.+...+...............+............+..+.+...........+.+++++++
Now we have the CSR file. We can feed this to easy-rsa.
Step 2:enter the request
root@easy-rsa:/home/ubuntu/easy-rsa# ./easyrsa import-req /tmp/request.csr vault
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
The request has been successfully imported with a short name of: vault
You may now use this name to perform signing operations on this request.
Step 3: Sign the request
We copy the request to the easy-rsa server. I would put the csr in the /tmp directory. Then we can begin to sign the request.
root@easy-rsa:/home/ubuntu/easy-rsa# ./easyrsa sign-req server vault
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
countryName = US
stateOrProvinceName = Somestate
localityName = Boomtown
organizationName = Sparelabs Inc.
commonName = vault.sparelab.net
X509v3 Subject Alternative Name:
DNS:vault.sparelab.net,IP:192.168.160.24
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/ubuntu/easy-rsa/pki/easy-rsa-50749.wyqR5k/tmp.RXdgm3
Enter pass phrase for /home/ubuntu/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'Somestate'
localityName :ASN.1 12:'Boomtown'
organizationName :ASN.1 12:'Sparelabs Inc.'
commonName :ASN.1 12:'vault.sparelab.net'
Certificate is to be certified until Nov 24 20:18:16 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/ubuntu/easy-rsa/pki/issued/vault.crt
./easyrsa sign-req server vault
What just happened. We used the easy-rsa utility to sign the cert. It created the cert and stuck it (in my case) in /home/ubuntu/easy-rsa/pki/issued/vault.crt
Step 4: Put key and cert into place.
Now we place everything we have gathered into place.
Vault would have created self signed certs when it started. That might be a very bad idea.
root@vault:/opt/vault/tls# ls -la
total 16
drwx------ 2 vault vault 4096 Aug 21 18:58 .
drwxr-xr-x 4 vault vault 4096 Aug 21 18:58 ..
-rw------- 1 vault vault 1850 Aug 21 18:58 tls.crt
-rw------- 1 vault vault 3272 Aug 21 18:58 tls.key
Important: Don’t Forget to add the Easy-Rsa Cert to the servers list of ca=certificates in order for the server to trust the “vault” cert which was signed by easy-rsa.
root@vault:/usr/local/share/ca-certificates# ls -la
total 12
drwxr-xr-x 2 root root 4096 Aug 21 21:32 .
drwxr-xr-x 7 root root 4096 Aug 21 18:03 ..
-rw-r--r-- 1 root root 1205 Aug 21 21:32 easy-rsa.crt
Now you can run “update-ca-certificates” so that your server learns and trusts the local on prem CA (Easy-Rsa)
root@vault:/usr/local/share/ca-certificates# update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
We can edit the tls.cert file and put into it’s place the output from above. The /home/ubuntu/easy-rsa/pki/issued/vault.crt file.