-
Notifications
You must be signed in to change notification settings - Fork 2
/
README
177 lines (141 loc) · 6.67 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
Easy-RSA 2.x based on original Easy-RSA 2.0-rc1 found in OpenVPN 2.x branch
===========================================================================
From easy-rsa/README-2.0:
-------------------------
This is a small RSA key management package, based on the openssl
command line tool, that can be found in the easy-rsa subdirectory
of the OpenVPN distribution. While this tool is primary concerned
with key management for the SSL VPN application space, it can also
be used for building web certificates.
This work initially based on original EASY-RSA 2.0-rc1 found in openvpn-2.2.1
package from Debian GNU/Linux 7.x (wheezy). However development is moved then
to https://github.com/OpenVPN/easy-rsa/tree/release/2.x which is closed now.
Main objectives for this reimplementation are following:
--------------------------------------------------------
o Support CRL for intermediate CAs at any depth
o Support for multiple subjectAltName (Subject Alternative Names, SAN)
o Seamless certificate reissue with same subjectName and private key
o OpenVPN profile (file.ovpn) for Android/iOS/MacOS/Windows clients
and config directory for Linux/BSD systems (both client and server)
o Lighttpd with TLS/SSL and mod_secdownload support for secure
client/server certificates (not implemented, PKCS#12 could be used
for this purpose as single container for everything), CA certificate,
CRLs and OpenVPN profiles/configuration (primary focus) distribution
to end users
o Multi-user support (could be useful for study purposes)
o RSA 2048 bit keys and SHA256 by default
o Revised security. Passwords passed via environment, sane filesystem
permissions and ownership, private keys always encrypted with
random passphrase generated from /dev/urandom, helper to run CA
commands in pristine environment
o Helpers to list OpenSSL index.txt certificate database
o Arhcive expired certificates to keep index.txt small automatically
o Misc improvements and bugfixes to pkitool a core utility
Installation
------------
Use standard installsh steps:
$ cd /tmp
$ git clone --recursive https://github.com/serhepopovych/easy-rsa
$ cd easy-rsa
$ sudo -i \
fqdn='easy-rsa.example.com' \
hostname='easy-rsa' \
domain='example.com' \
users='certmgr user1 user2' \
./deploy.sh -d 'opt' \
#
Since easy-rsa supports multiuser configurations, no user by default has
preconfigured easy-rsa/ in it's home directory at creation time because
no easy-rsa/ installed in /etc/skel, you must manually copy skeleton
from <install_dir>/easy-rsa/skel/* to user home directory:
Note that on SELinux enforced systems (e.g. RHEL/CentOS) you need to add
following configuration:
# Make sure policycoreutils installed
$ sudo yum install -y policycoreutils
# Allow setrlimit for lighttpd process
$ sudo setsebool -P httpd_setrlimit 1
# Allow access to user home directories for mod_userdir
$ sudo setsebool -P httpd_read_user_content 1
# Make sure policycoreutils-python or
# policycoreutils-python-utils installed
$ sudo yum install policycoreutils-python || \
sudo yum install policycoreutils-python-utils
# Allow lighttpd to execute xbin/* and xbin/mod/*/* helpers
$ cd ~
$ cat >comm_lighttpd_users_conf_sh.te <<'_EOF'
module comm_lighttpd_users_conf_sh 1.0;
require {
type httpd_config_t;
type httpd_t;
class file { execute execute_no_trans };
}
#============= httpd_t ==============
allow httpd_t httpd_config_t:file { execute execute_no_trans };
_EOF
$ checkmodule -M -m -o comm_lighttpd_users_conf_sh.mod \
comm_lighttpd_users_conf_sh.te
$ semodule_package -o comm_lighttpd_users_conf_sh.pp -m \
comm_lighttpd_users_conf_sh.mod
$ sudo semodule -r comm_lighttpd_users_conf_sh
$ sudo semodule -i comm_lighttpd_users_conf_sh.pp
Usage
-----
$ /opt/easy-rsa/exec-ca --help
usage: /opt/easy-rsa/exec-ca [NAME=VAL...] [options] [--] <ca> <command> [<args> ...]
options : options for exec-ca
--runas run as specified user instead of current (i.e. $USER)
--help|--usage
this help message
--version this program version
ca : the CA directory (KEY_DIR) of the PKI to run command on
command : command to run with PKI environment read from vars-<ca>
args : (optional) arguments to <command>
Example: /opt/easy-rsa/exec-ca webCA build-ca (build webCA)
/opt/easy-rsa/exec-ca webCA (execute $SHELL with environment from vars-webCA)
$ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA ovpn-mkconfig-client --help
Usage: mkconfig [options] <CommonName>
Options:
--remote : Remote OpenVPN peer hostname or IP address
--port : Port to use on remote OpenVPN host (default: 1194)
--proto : Protocol used to connect to peer (default: udp)
--mode : Mode used to connect to peer (default: client)
--instance : Instance name to use as subdirectory name (default: --mode)
--newkey : Force new private key creation (default: no)
--help|--usage
: This help message
--version : This program version
<CommonName> is a X.509 "Common Name" used to distinguish peer.
It can be either hostname when --mode is "server" or legal name
of user when --mode is "client".
Examples
--------
# Build self-signed RootCA certificate
$ /opt/easy-rsa/exec-ca KEY_CN='Example.Net RootCA' --runas certmgr -- \
RootCA build-ca --keysize 4096 RootCA
# Build child CAs: webCA and ovpnCA
$ /opt/easy-rsa/exec-ca \
KEY_CN='OpenVPN Intermediate CA' --runas certmgr -- \
RootCA build-inter --keysize 4096 ovpnCA
$ /opt/easy-rsa/exec-ca \
KEY_CN='WebServices Intermediate CA' --runas certmgr -- \
RootCA build-inter --keysize 4096 webCA
# Build OpenVPN server certificate, profile and configuration
$ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \
ovpn-mkconfig-server 'vpn.example.net'
# Build OpenVPN client certificate and profile
$ /opt/easy-rsa/exec-ca --runas certmgr -- ovpnCA \
ovpn-mkconfig-client 'Test user'
# Remove all certificates (including CA certificate itself) issued
# by this and all child CAs; cleans up index.txt database
$ /opt/easy-rsa/exec-ca --runas certmgr -- RootCA clean-all
# Enter interactive shell with pristine environment and $PATH
# pointing to /opt/easy-rsa and extensions/xbin.
$ /opt/easy-rsa/exec-ca --runas certmgr ovpnCA
# list certificates issued by authority (from openssl index.txt file)
easy-rsa:ovpnCA> list-index-txt
# show CRL (Certificate Revocation List)
easy-rsa:ovpnCA> list-crl
# build OpenVPN client certificate and profile
easy-rsa:ovpnCA> ovpn-mkconfig-client 'Test user2'
# revoke previously build OpenVPN client certificate
easy-rsa:ovpnCA> revoke-full 'Test user2'