Install EasyRSA Certificate Authority on CentOS / RHEL 8 - CentLinux

Latest

Sunday, 9 May 2021

Install EasyRSA Certificate Authority on CentOS / RHEL 8

Install EasyRSA Certificate Authority on CentOS / RHEL 8

EasyRSA is a CLI utility to build and manage a PKI CA (Certificate Authority). Here, you will learn how to install and use it on CentOS / RHEL 8.

 

Table of Contents:

 

What is EasyRSA?:

EasyRSA is a free and open source CLI utility to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).

 

Recommended Book: The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts

Recommended Training: SSL/TLS Fundamentals at Udemy

 

Environment Specification:

We are using a minimal RHEL 8 virtual machine with following specifications.

  • CPU - 3.4 Ghz (2 cores)
  • Memory - 2 GB
  • Storage - 40 GB
  • Operating System - Red Hat Enterprise Linux 8.3
  • Hostname – easyrsa-01.centlinux.com
  • IP Address - 192.168.116.238 /24

 

Update Software Packages in CentOS / Red Hat Enterprise Linux:

Connect with easyrsa-01.centlinux.com as root user by using a SSH client.

It is a best practice to update software packages in your Linux distro, before installing any new software on it.

Therefore, execute dnf command to update software packages in your CentOS / Red Hat Enterprise Linux.

# dnf update -y

Verify the Linux Kernel version being used in this installation guide.

# uname -r 4.18.0-240.22.1.el8_3.x86_64

Verify the Linux distro version being used in this installation guide.

# cat /etc/redhat-release Red Hat Enterprise Linux release 8.3 (Ootpa)

 

Installing EasyRSA on CentOS / Red Hat Enterprise Linux:

With the help of wget command, download latest version of EasyRSA.

# cd /opt/ # wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

Extract downloaded tarball by executing tar command at Linux bash prompt.

# tar xvf EasyRSA-3.0.8.tgz

Rename the extracted directory as follows.

# mv EasyRSA-3.0.8 easy-rsa

 

Generate PKI Directory and CA Certificate:

Invoke the easyrsa command to generate pki directory.

# cd easy-rsa # ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/easy-rsa/pki

Generate your Certificate Authority (CA) certificate, which will be used to sign server and client Certificate Signing Requests (CSR).

# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ................+++++ ............................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CentLinux CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/easy-rsa/pki/ca.crt

 

Generate and Sign Server SSL Certificate:

Generate a RSA Private Key and CSR for your Linux server.

# ./easyrsa gen-req easyrsa-01.centlinux.com nopass Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key ..................................+++++ .........+++++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-3156.k8Hinw/tmp.d8ywZV' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [easyrsa-01.centlinux.com]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/easyrsa-01.centlinux.com.req key: /opt/easy-rsa/pki/private/easyrsa-01.centlinux.com.key

Sign your server CSR by using Certificate Authority (CA) private key.

# ./easyrsa sign-req server easyrsa-01.centlinux.com Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = easyrsa-01.centlinux.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-3182.jIol30/tmp.3py67u Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'easyrsa-01.centlinux.com' Certificate is to be certified until Aug 12 08:41:53 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt

You have successfully signed the SSL certificate of your Linux server.

To verify is your SSL Certificate is correctly generated, you can execute openssl command as follows.

# openssl verify -CAfile pki/ca.crt /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt /opt/easy-rsa/pki/issued/easyrsa-01.centlinux.com.crt: OK

 

Generate Diffie-Hellman Key:

Generate a strong Diffie-Hellman key to be used by the key exchange process.

# ./easyrsa gen-dh Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............+..............................................................................................................................................................++*++*++*++* DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem

 

Generate and Sign Client SSL Certificate:

Generate a SSL certificate for your client machines.

# ./easyrsa gen-req client-01.centlinux.com nopass Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 Generating a RSA private key .....+++++ .........................................................+++++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-3291.u5C952/tmp.8Ra4q5' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client-01.centlinux.com]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/client-01.centlinux.com.req key: /opt/easy-rsa/pki/private/client-01.centlinux.com.key

Sign the client SSL certificate as follows.

# ./easyrsa sign-req client client-01.centlinux.com Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = client-01.centlinux.com Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-3318.NwnX5d/tmp.YpLhll Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client-01.centlinux.com' Certificate is to be certified until Aug 12 09:00:41 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/client-01.centlinux.com.crt

You have successfully generated and signed the client SSL certificate.

Copy your Certificate Authority (CA) certificate in /etc/pki/ca-trust/source/anchors/ of your Linux clients to add your CA to their trusted CA list.

 

Conclusion:

In this installation guide, we have successfully installed EasyRSA on CentOS / Red Hat Enterprise Linux 8. We have also configured a Certificate Authority and Digitally Signed SSL certificates by using easyrsa command.

No comments:

Post a Comment