How to install EasyRSA Certificate Authority

Share on Social Media

In this Linux tutorial, you will learn how to install EasyRSA Certificate Authority on Linux 9 or other Red Hat based Linux distributions. #centlinux #linux #cryptography

What is Certificate Authority?:

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

One particularly common use for certificate authorities is to sign certificates used in HTTPS, the secure browsing protocol for the World Wide Web. Another common use is in issuing identity cards by national governments for use in electronically signing documents.(Source: Wikipedia)

For learn more about SSL Certificates, we propose that you should attend online training SSL/TLS and Public Key Infrastructure

What is EasyRSA?:

Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure. A PKI is based on the notion of trusting a particular authority to authenticate a remote peer.

The code is written in platform-neutral POSIX shell, allowing use on a wide range of host systems. The official Windows release also comes bundled with the programs necessary to use Easy-RSA. The shell code attempts to limit the number of external programs it depends on. Crypto-related tasks use openssl as the functional backend. (Source: EasyRSA)

Video to install EasyRSA Certificate Authority on Linux:

YouTube player

Environment Specification:

We are using a minimal Rocky Linux 9 virtual machine with following specifications.

  • CPU – 3.4 Ghz (2 cores)
  • Memory – 2 GB
  • Storage – 20 GB
  • Operating System – Rocky Linux release 9.1 (Blue Onyx)
  • Hostname – ca-01.centlinux-com.preview-domain.com
  • IP Address – 192.168.116.128/24

Prepare your Rocky Linux Server:

Login to your Rocky Linux server as root user, with the help of a ssh client.

Set a hostname for your EasyRSA Certificate Authority server and set the Local DNS resolution as follows.

# hostnamectl set-hostname ca-01.centlinux-com.preview-domain.com
# echo "192.168.116.128 ca-01 ca-01.centlinux-com.preview-domain.com" >> /etc/hosts

Execute following command to update your software packages.

# dnf update -y

You may also need to reboot your Linux operating system, if the above command updates your Linux Kernel.

# reboot

Check the Linux operating system and Linux Kernel versions.

# cat /etc/rocky-release && uname -r
Rocky Linux release 9.1 (Blue Onyx)
5.14.0-162.22.2.el9_1.x86_64

Install EasyRSA Certificate Authority on Linux:

EasyRSA software is available in EPEL (Extra Packages for Enterprise Linux) yum repository.

Therefore, to install EasyRSA Certificate Authority, you need to install EPEL repo first.

# dnf install -y epel-release

Rebuild your yum cache of newly installed repositories.

# dnf makecache

Now, you can easily install EasyRSA software by executing following Linux command.

# dnf install -y easy-rsa

Find the location of EasyRSA software by executing following command at Linux terminal.

# rpm -ql $(rpm -qa | grep easy-rsa)

Our installation directory for EasyRSA software is /usr/share/easy-rsa/.

Generate PKI Directory and CA Certificate:

To create a skeleton Public Key Infrastructure (PKI) for your Certificate Authority Server, you need to create a separate directory with restricted permissions, that has symbolics links of EasyRSA commands therein. It will be helpful in management of your Certificate Authority server.

For this purpose execute following commands at your Linux terminal.

# mkdir ~/easy-rsa
# ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/
# chmod 700 ~/easy-rsa/

Go to ~/easy-rsa directory and execute easyrsa command to create PKI directory skeleton thereon.

# cd ~/easy-rsa/
# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/easy-rsa/pki

Before creating the Private key for your EasyRSA Certificate Authority server, you need to define your Organization information in vars file.

Create vars file by using vim text editor.

# vi vars

Add following directives in this file.

set_var EASYRSA_REQ_COUNTRY    "US"
set_var EASYRSA_REQ_PROVINCE   "New York"
set_var EASYRSA_REQ_CITY       "New York City"
set_var EASYRSA_REQ_ORG        "CentLinux"
set_var EASYRSA_REQ_EMAIL      "ahmer@centlinux-com.preview-domain.com"
set_var EASYRSA_REQ_OU         "IT Lab"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"

Execute following command to create root public and private keys for your EasyRSA Certificate Authority server.

# ./easyrsa build-ca
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CentLinux CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/easy-rsa/pki/ca.crt

Generate and Sign Server SSL Certificate:

Generate a RSA Private Key and CSR for your Linux server.

# ./easyrsa gen-req ca-01.centlinux-com.preview-domain.com nopass
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+......+......+.....+.........+....+...........+..................+......+......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+...+..+......+..........+.........+...+..+.........+....+...........+.+..............+.........+......+.+...+...+..+.............+........................+.....+...+.+............+...+..+...+.......+.........+......+...+..+...+.+........+...+.........+......+.........+....+.........+..+................+...+......+........................+..+...............+..........+.....+............+.......+........+...+....+...+...+.....+....+.....+.+...+......+.........+...........+.+........+......+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....+........+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.........+.+..+....+.....+.........+....+......+.........+..+....+..+.........+......+.......+......+......+...+..+....+.....+.......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+..+.........+....+.....+.+..............+.+...+.....+..........+........+...+....+.....+...+..................................+.....+.+..+......+......+..........+...+........+....+...........+.......+.....................+..+....+...+...+..+.+..+.......+...+........+.+...........+....+...+...+..+...+...+.+......+............+...+.......................+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [ca-01.centlinux-com.preview-domain.com]:

Keypair and certificate request completed. Your files are:
req: /root/easy-rsa/pki/reqs/ca-01.centlinux-com.preview-domain.com.req
key: /root/easy-rsa/pki/private/ca-01.centlinux-com.preview-domain.com.key

Sign your server CSR by using Certificate Authority (CA) private key.

# ./easyrsa sign-req server ca-01.centlinux-com.preview-domain.com
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = ca-01.centlinux-com.preview-domain.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /root/easy-rsa/pki/easy-rsa-2342.AI8fPV/tmp.AVlU3t
Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
809BB3EF907F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'ca-01.centlinux-com.preview-domain.com'
Certificate is to be certified until Jul  9 15:04:26 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /root/easy-rsa/pki/issued/ca-01.centlinux-com.preview-domain.com.crt

You have successfully signed the SSL certificate of your Linux server.

To verify is your SSL Certificate is correctly generated, you can execute openssl command as follows.

# openssl verify -CAfile pki/ca.crt /root/easy-rsa/pki/issued/ca-01.centlinux-com.preview-domain.com.crt
/root/easy-rsa/pki/issued/ca-01.centlinux-com.preview-domain.com.crt: OK

Generate and Sign Client SSL Certificate:

Generate a SSL certificate for your client machines.

# ./easyrsa gen-req client-01.centlinux-com.preview-domain.com nopass
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
......+..+..................+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...............+...+..........+..+............+.+......+........+.......+......+...+............+..+.......+...............+...+..+...+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.....+......+..........+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+..........+..+.+......+.....+.............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...............+....+........+.+..+...+................+...+..+.........+......+.............+..+.+..+.....................+....+..+......+....+...+........+...............+....+...+...+...+......+......+...+..+...+......+.............+...+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client-01.centlinux-com.preview-domain.com]:

Keypair and certificate request completed. Your files are:
req: /root/easy-rsa/pki/reqs/client-01.centlinux-com.preview-domain.com.req
key: /root/easy-rsa/pki/private/client-01.centlinux-com.preview-domain.com.key

Copy the CSR to your Certificate Authority Server at /root/easy-rsa/pki/reqs directory.

# cd /root/easy-rsa/pki/reqs/
# scp client-01.centlinux-com.preview-domain.com.req root@192.168.116.128:/root/easy-rsa/pki/reqs/
The authenticity of host '192.168.116.128 (192.168.116.128)' can't be established.
ED25519 key fingerprint is SHA256:0HIa3JkQYbEmBNv/W6RyztUXEmxtgCheMZSSErNWi5E.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.116.128' (ED25519) to the list of known hosts.
root@192.168.116.128's password:
client-01.centlinux-com.preview-domain.com.req                   100%  911   658.9KB/s   00:00

Sign the client SSL certificate as follows.

# ./easyrsa sign-req client client-01.centlinux-com.preview-domain.com
Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client-01.centlinux-com.preview-domain.com


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /root/easy-rsa/pki/easy-rsa-2517.nQJ2Oz/tmp.MxBCPA
Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client-01.centlinux-com.preview-domain.com'
Certificate is to be certified until Jul  9 15:35:32 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /root/easy-rsa/pki/issued/client-01.centlinux-com.preview-domain.com.crt

You have successfully generated and signed the client SSL certificate.

Copy your Certificate Authority (CA) certificate in /etc/pki/ca-trust/source/anchors/ of your Linux clients to add your CA to their trusted CA list.

Recommended Book: Understanding Cryptography: A Textbook for Students and Practitioners (PAID LINK)

Conclusion:

In this linux tutorial, your have learned how to install EasyRSA Certificate Authority on Linux 9 or other Red Hat based Linux distributions.

Scroll to Top