CentLinux | Learn How to Install CentOS/Rocky Linux Servers

Sunday, May 9, 2021

Install EasyRSA Certificate Authority on CentOS / RHEL 8

Install EasyRSA Certificate Authority on CentOS / RHEL 8

EasyRSA is a CLI utility to build and manage a PKI CA (Certificate Authority). Here, you will learn how to install and use it on CentOS / RHEL 8.

 

Table of Contents:

 

What is EasyRSA?:

EasyRSA is a free and open source CLI utility to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

 

Recommended Book: The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts

Recommended Training: SSL/TLS Fundamentals at Udemy

 

Environment Specification:

We are using a minimal RHEL 8 virtual machine with following specifications.

  • CPU - 3.4 Ghz (2 cores)
  • Memory - 2 GB
  • Storage - 40 GB
  • Operating System - Red Hat Enterprise Linux 8.3
  • Hostname – easyrsa-01.centlinux.com
  • IP Address - 192.168.116.238 /24

 

Update Software Packages in CentOS / Red Hat Enterprise Linux:

Connect with easyrsa-01.centlinux.com as root user by using a SSH client.

It is a best practice to update software packages in your Linux distro, before installing any new software on it.

Therefore, execute dnf command to update software packages in your CentOS / Red Hat Enterprise Linux.

# dnf update -y

Verify the Linux Kernel version being used in this installation guide.

# uname -r
4.18.0-240.22.1.el8_3.x86_64

Verify the Linux distro version being used in this installation guide.

# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.3 (Ootpa)

 

Installing EasyRSA on CentOS / Red Hat Enterprise Linux:

With the help of wget command, download latest version of EasyRSA.

# cd /opt/
# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

Extract downloaded tarball by executing tar command at Linux bash prompt.

# tar xvf EasyRSA-3.0.8.tgz

Rename the extracted directory as follows.

# mv EasyRSA-3.0.8 easy-rsa

 

Generate PKI Directory and CA Certificate:

Invoke the easyrsa command to generate pki directory.

# cd easy-rsa
# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki

Generate your Certificate Authority (CA) certificate, which will be used to sign server and client Certificate Signing Requests (CSR).

# ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
............................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CentLinux CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt

 

Generate and Sign Server SSL Certificate:

Generate a RSA Private Key and CSR for your Linux server.

# ./easyrsa gen-req easyrsa-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
..................................+++++
.........+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3156.k8Hinw/tmp.d8ywZV'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [easyrsa-01.centlinux.com]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/easyrsa-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/easyrsa-01.centlinux.com.key

Sign your server CSR by using Certificate Authority (CA) private key.

# ./easyrsa sign-req server easyrsa-01.centlinux.com
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = easyrsa-01.centlinux.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3182.jIol30/tmp.3py67u
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'easyrsa-01.centlinux.com'
Certificate is to be certified until Aug 12 08:41:53 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt

You have successfully signed the SSL certificate of your Linux server.

To verify is your SSL Certificate is correctly generated, you can execute openssl command as follows.

# openssl verify -CAfile pki/ca.crt /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt
/opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt: OK

 

Generate Diffie-Hellman Key:

Generate a strong Diffie-Hellman key to be used by the key exchange process.

# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............+..............................................................................................................................................................++*++*++*++*

DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem

 

Generate and Sign Client SSL Certificate:

Generate a SSL certificate for your client machines.

# ./easyrsa gen-req client-01.centlinux.com nopass
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
.....+++++
.........................................................+++++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-3291.u5C952/tmp.8Ra4q5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client-01.centlinux.com]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client-01.centlinux.com.req
key: /opt/easy-rsa/pki/private/client-01.centlinux.com.key

Sign the client SSL certificate as follows.

# ./easyrsa sign-req client client-01.centlinux.com
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client-01.centlinux.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-3318.NwnX5d/tmp.YpLhll
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client-01.centlinux.com'
Certificate is to be certified until Aug 12 09:00:41 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/client-01.centlinux.com.crt

You have successfully generated and signed the client SSL certificate.

Copy your Certificate Authority (CA) certificate in /etc/pki/ca-trust/source/anchors/ of your Linux clients to add your CA to their trusted CA list.

Read Also: How to install EasyRSA on Rocky Linux 9


 

Conclusion:

In this installation guide, we have successfully installed EasyRSA on CentOS / Red Hat Enterprise Linux 8. We have also configured a Certificate Authority and Digitally Signed SSL certificates by using easyrsa command.

If you find this article useful? Consider supporting us by Buy Me A Coffee


Read more
By at
Labels:

2 comments:

  1. Pedro Bezunartea LópezOctober 3, 2021 at 6:23 PM

    Nice post! Thank you!

    Do you have any suggestion for a more user-friendly PKI system? It'd nice to have a GUI (Web?) where users can manage their certificates.

    ReplyDelete
    Replies
    1. Ahmer MOctober 5, 2021 at 12:10 AM

      Hi,

      You may found a few EasyRSA web UI at GitHub, but I do not recommend using a web ui due to security reasons, since the CLI has enough functionality to manage SSL certificates.

      Delete

Subscribe to: Post Comments (Atom)
© 2023 CentLinux. All Rights Reserved.