EasyRSA is a CLI utility to build and manage a PKI CA (Certificate Authority). Here, you will learn how to install and use it on CentOS / RHEL 8.
Table of Contents:
- What is EasyRSA?
- Environment Specification
- Update Software Packages in CentOS / Red Hat Enterprise Linux
- Installing EasyRSA on CentOS / Red Hat Enterprise Linux
- Generate PKI Directory and CA Certificate
- Generate and Sign Server SSL Certificate
- Generate Diffie-Hellman Key
- Generate and Sign Client SSL Certificate
- Conclusion
What is EasyRSA?:
EasyRSA is a free and open source CLI utility to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).
Recommended Book: The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts
Recommended Training: SSL/TLS Fundamentals at Udemy
Environment Specification:
We are using a minimal RHEL 8 virtual machine with following specifications.
- CPU - 3.4 Ghz (2 cores)
- Memory - 2 GB
- Storage - 40 GB
- Operating System - Red Hat Enterprise Linux 8.3
- Hostname – easyrsa-01.centlinux.com
- IP Address - 192.168.116.238 /24
Update Software Packages in CentOS / Red Hat Enterprise Linux:
Connect with easyrsa-01.centlinux.com as root user by using a SSH client.
It is a best practice to update software packages in your Linux distro, before installing any new software on it.
Therefore, execute dnf command to update software packages in your CentOS / Red Hat Enterprise Linux.
# dnf update -y
Verify the Linux Kernel version being used in this installation guide.
# uname -r
4.18.0-240.22.1.el8_3.x86_64
Verify the Linux distro version being used in this installation guide.
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)
Installing EasyRSA on CentOS / Red Hat Enterprise Linux:
With the help of wget command, download latest version of EasyRSA.
# cd /opt/ # wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
Extract downloaded tarball by executing tar command at Linux bash prompt.
# tar xvf EasyRSA-3.0.8.tgz
Rename the extracted directory as follows.
# mv EasyRSA-3.0.8 easy-rsa
Generate PKI Directory and CA Certificate:
Invoke the easyrsa command to generate pki directory.
# cd easy-rsa # ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/easy-rsa/pki
Generate your Certificate Authority (CA) certificate, which will be used to sign server and client Certificate Signing Requests (CSR).
# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ................+++++ ............................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CentLinux CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/easy-rsa/pki/ca.crt
Generate and Sign Server SSL Certificate:
Generate a RSA Private Key and CSR for your Linux server.
# ./easyrsa gen-req easyrsa-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
..................................+++++
.........+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3156.k8Hinw/tmp.d8ywZV'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [easyrsa-01.centlinux.com]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/easyrsa-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/easyrsa-01.centlinux.com.key
Sign your server CSR by using Certificate Authority (CA) private key.
# ./easyrsa sign-req server easyrsa-01.centlinux.com Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = easyrsa-01.centlinux.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-3182.jIol30/tmp.3py67u Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'easyrsa-01.centlinux.com' Certificate is to be certified until Aug 12 08:41:53 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt
You have successfully signed the SSL certificate of your Linux server.
To verify is your SSL Certificate is correctly generated, you can execute openssl command as follows.
# openssl verify -CAfile pki/ca.crt /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt
/opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt: OK
Generate Diffie-Hellman Key:
Generate a strong Diffie-Hellman key to be used by the key exchange process.
# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............+..............................................................................................................................................................++*++*++*++*
DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem
Generate and Sign Client SSL Certificate:
Generate a SSL certificate for your client machines.
# ./easyrsa gen-req client-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
.....+++++
.........................................................+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3291.u5C952/tmp.8Ra4q5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client-01.centlinux.com]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/client-01.centlinux.com.key
Sign the client SSL certificate as follows.
# ./easyrsa sign-req client client-01.centlinux.com
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client-01.centlinux.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3318.NwnX5d/tmp.YpLhll
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client-01.centlinux.com'
Certificate is to be certified until Aug 12 09:00:41 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/client-01.centlinux.com.crt
You have successfully generated and signed the client SSL certificate.
Copy your Certificate Authority (CA) certificate in /etc/pki/ca-trust/source/anchors/ of your Linux clients to add your CA to their trusted CA list.
Conclusion:
In this installation guide, we have successfully installed EasyRSA on CentOS / Red Hat Enterprise Linux 8. We have also configured a Certificate Authority and Digitally Signed SSL certificates by using easyrsa command.
Nice post! Thank you!
ReplyDeleteDo you have any suggestion for a more user-friendly PKI system? It'd nice to have a GUI (Web?) where users can manage their certificates.
Hi,
DeleteYou may found a few EasyRSA web UI at GitHub, but I do not recommend using a web ui due to security reasons, since the CLI has enough functionality to manage SSL certificates.