Template:Generating certificates and keys: Difference between revisions

From Teltonika Networks Wiki
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==Step 3: generating certificates and keys==
==Step 3: generating certificates and keys==


<ul>
  <li>Now we can start generating the certificates and keys. Begin with the '''certificate authority''' ('''CA''') - the root certificate file that will be used to sign other certificates and keys:
    <ul>
      <pre>build-ca</pre>
    </ul>
'''NOTE''': you can press the "Enter" key when prompted to enter the values set in the ''vars.bat'' file earlier. Doing this will set the values to the default specified in ''vars.bat''. However, you should type in a meaningful '''Common Name'''.
  </li>


  <li>Next, build the '''server''' certificate and key:
    <ul>
      <pre>build-key-server server</pre>
    </ul>
'''NOTE''': once again, don't forget to specify a different Common Name (use the name "server" for easier management purposes). When prompted the sign and commit the certificate, type '''y''' and press "Enter".
  </li>


  <li>Next, build certificates and keys for the '''clients''':
    <ul>
      <pre>build-key Client1</pre>
    </ul>
'''TIP''': use the same Common Name as the certificate name (Client1 in this example). This will help you differentiate between clients easier. Pick meaningful names like "toms_PC", "company_maintenance", etc. Repeat this step as many times as you need, depending on the client quantity.
  </li>


  <li>Lastly, generate '''Diffie Hellman parameters''':
 
     <ul>
 
      <pre>build-dh</pre>
<ul>
     </ul>
    <li>Now we can start generating the certificates and keys. Begin with the <b>certificate authority</b> (<b>CA</b>) - the root certificate file that will be used to sign other certificates and keys:<pre>./easyrsa build-ca nopass</pre></li>
  </li>
    <li>Next, build the <b>server</b> certificate and key:<pre>./easyrsa build-server-full server nopass</pre></li>
     <li>Next, build certificates and keys for the <b>clients</b>:<pre>./easyrsa build-client-full Client1 nopass</pre><font size="-1"><b>Note</b>: replace <i>Client1</i> with this client's Common Name (CN). Omit "nopass" and you will be prompted to choose the client's password.</font><br><br></li>
     <li>Lastly, generate <b>Diffie Hellman parameters</b>:<pre>./easyrsa gen-dh</pre></li>
</ul>
</ul>
----
The generated and signed files should appear in the following directories (by default):
<table class="nd-othertables_3">
    <tr>
        <th width="200">File(s)</th>
        <th width="50" style="text-align: center;"></th>
        <th width="330" style="text-align: right;">Location</th>
    <tr>
        <td>CA certificate</td>
        <td style="text-align: center;">→</td>
        <td style="text-align: right;"><i>C:\Program Files\OpenVPN\easy-rsa\pki</i></td>
    </tr>
    <tr>
        <td>Diffie-Hellman parameters</td>
        <td style="text-align: center;">→</td>
        <td style="text-align: right;"><i>C:\Program Files\OpenVPN\easy-rsa\pki</i></td>
    </tr>
    <tr>
        <td>Client and Server keys</td>
        <td style="text-align: center;">→</td>
        <td style="text-align: right;"><i>C:\Program Files\OpenVPN\easy-rsa\pki\private</i></td>
    </tr>
    <tr>
        <td>Client and Server certificates</td>
        <td style="text-align: center;">→</td>
        <td style="text-align: right;"><i>C:\Program Files\OpenVPN\easy-rsa\pki\issued</i></td>
    </tr>
</table>

Latest revision as of 17:38, 6 March 2022

Step 3: generating certificates and keys

  • Now we can start generating the certificates and keys. Begin with the certificate authority (CA) - the root certificate file that will be used to sign other certificates and keys:
    ./easyrsa build-ca nopass
  • Next, build the server certificate and key:
    ./easyrsa build-server-full server nopass
  • Next, build certificates and keys for the clients:
    ./easyrsa build-client-full Client1 nopass
    Note: replace Client1 with this client's Common Name (CN). Omit "nopass" and you will be prompted to choose the client's password.

  • Lastly, generate Diffie Hellman parameters:
    ./easyrsa gen-dh

The generated and signed files should appear in the following directories (by default):

File(s) Location
CA certificate C:\Program Files\OpenVPN\easy-rsa\pki
Diffie-Hellman parameters C:\Program Files\OpenVPN\easy-rsa\pki
Client and Server keys C:\Program Files\OpenVPN\easy-rsa\pki\private
Client and Server certificates C:\Program Files\OpenVPN\easy-rsa\pki\issued