108
edits
Changes
Template:How to generate tls certificates linux (view source)
Revision as of 15:07, 14 April 2020
, 15:07, 14 April 2020Created page with "==Step 1: downloading easy-rsa== Almost all of the steps will be done through the terminal. You can open the terminal by pressing this '''''CTRL+ALT+T''''' key combination on..."
==Step 1: downloading easy-rsa==
Almost all of the steps will be done through the terminal. You can open the terminal by pressing this '''''CTRL+ALT+T''''' key combination on your keyboard.
----
First of all we need to download the '''''Easy-Rsa''''' source files. You can do that by executing this command in the terminal:
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
To extract the downloaded file contents, execute this command in the terminal:
tar zxf EasyRSA-3.0.7.tgz
==Step 2: preparing Easy-Rsa==
In this step we will show how to prepare the '''''Easy-Rsa''''' for creating the necessary certificates.
----
First of all navigate into directory where all of the '''''Easy-Rsa''''' content is stored. You can do this by executing this command in the terminal:
cd ./EasyRSA-3.0.7
Create the configuration file. You can do this by executing this command in the terminal:
cp vars.example vars
Open the configuration file using your preferred text editor. We will use '''vim''' text editor.
Locate the following lines like in the picture below.
[[File:vars_config_before_v1.png|border|class=tlt-border]]
Uncomment the lines and change the values to whatever you’d prefer, but do not leave them blank.
[[File:vars_config_after_v1.png|border|class=tlt-border]]
After all the necessary changes have been made to the configuration file, save it and close it.
----
Now we need to initialize the necessary tasks to start building the certificates and all other things. Execute this command in the terminal:
./easyrsa init-pki
If everything was configure correctly you should see a text like in the picture below.
[[File:init_pki_v1.png|border|class=tlt-border]]
'''Note:''' the PKI directory in your case may or will differ.
==Step 3: Building the CA==
When the '''''Easy-Rsa''''' is prepared it is time to start building all the necessary certificates for the TLS connection.
----
To build the CA certificate, execute this command in the terminal:
./easyrsa build-ca nopass
After executing the command you will be asked to enter the common name. Press enter to use the default values from the configuration file.
[[File:building_ca_v1.png|border|class=tlt-border]]
The generated CA certificate can be found in the directory '''~/EasyRSA-3.0.7/pki''' and the certificate key can be found in the directory '''~/EasyRSA-3.0.7/pki/private'''.
==Step 4: building the server certificate and key==
In this step we will show you how to generate the server key and certificate and how to sign it with your CA.
----
First of all we need to generate a certificate request. You can do this by executing this command in the terminal:
./easyrsa gen-req server nopass
After executing the command you will be asked to enter the common name. Press enter to use the default values from the configuration file.
[[File:building_server_req_v1.png|border|class=tlt-border]]
The generated server certificate request can be found in the directory '''~/EasyRSA-3.0.7/pki/reqs''' and the key can be found in the directory '''~/EasyRSA-3.0.7/pki/private'''.
----
To build the server certificate we need to sign the server certificate request. You can do this by executing this command in the terminal:
./easyrsa sign-req server server
After executing the command you will be asked to confirm the request details. You need to type '''yes''' because any other entry will abort the process.
[[File:signing_server_req_v1.png|border|class=tlt-border]]
The signed server certificate can be found in the directory '''~/EasyRSA-3.0.7/pki/issued'''.
----
The last step in this part is to generate a '''Diffie-Hellman''' key. You can do this by executing this command in the terminal:
./easyrsa gen-dh
Depending on the size of the key, the process will take some time. While the key is generated, you should see an output like in the animation below.
[[File:dh_key_gen_fast_v1.gif|border|class=tlt-border]]
The generated '''Diffie-Hellman''' key can be found in the directory '''~/EasyRSA-3.0.7/pki'''.
----
All the necessary server certificates and keys were built. All of the keys and certificates can be found in these directories:
<ol>
<li>CA certificate - '''~/EasyRSA-3.0.7/pki/ca.crt'''</li>
<li>CA key - '''~/EasyRSA-3.0.7/pki/ca.key'''</li>
<li>Server certificate - '''~/EasyRSA-3.0.7/pki/issued/server.crt'''</li>
<li>Server key - '''~/EasyRSA-3.0.7/pki/private/server.key'''</li>
<li>Diffie-Hellman key - '''~/EasyRSA-3.0.7/pki/dh.pem'''</li>
</ol>
==Step 5: building client certificate and keys==
In this step we will show you how to build a certificate and a key pair for the client.
----
First of all we need to generate a certificate request. You can do this by executing this command in the terminal:
./easyrsa gen-req client nopass
After executing the command you will be asked to enter the common name. Press enter to use the default values from the configuration file.
[[File:building_client_req_v1.png|border|class=tlt-border]]
The generated client certificate request can be found in the directory '''~/EasyRSA-3.0.7/pki/reqs''' and the key can be found in the directory '''~/EasyRSA-3.0.7/pki/private'''.
----
To build the client certificate we need to sign the client certificate request. You can do this by executing this command in the terminal:
./easyrsa sign-req client client
After executing the command you will be asked to confirm the request details. You need to type yes because any other entry will abort the process.
[[File:signing_client_req_v1.png|border|class=tlt-border]]
The signed client certificate can be found in the directory '''~/EasyRSA-3.0.7/pki/issued'''.
----
All necessary client certificates and keys were built. You can found them in these directories:
<ol>
<li>Client certificate - '''~/EasyRSA-3.0.7/pki/issued/client.crt'''</li>
<li>Client key - '''~/EasyRSA-3.0.7/pki/private/client.key'''</li>
</ol>
Almost all of the steps will be done through the terminal. You can open the terminal by pressing this '''''CTRL+ALT+T''''' key combination on your keyboard.
----
First of all we need to download the '''''Easy-Rsa''''' source files. You can do that by executing this command in the terminal:
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
To extract the downloaded file contents, execute this command in the terminal:
tar zxf EasyRSA-3.0.7.tgz
==Step 2: preparing Easy-Rsa==
In this step we will show how to prepare the '''''Easy-Rsa''''' for creating the necessary certificates.
----
First of all navigate into directory where all of the '''''Easy-Rsa''''' content is stored. You can do this by executing this command in the terminal:
cd ./EasyRSA-3.0.7
Create the configuration file. You can do this by executing this command in the terminal:
cp vars.example vars
Open the configuration file using your preferred text editor. We will use '''vim''' text editor.
Locate the following lines like in the picture below.
[[File:vars_config_before_v1.png|border|class=tlt-border]]
Uncomment the lines and change the values to whatever you’d prefer, but do not leave them blank.
[[File:vars_config_after_v1.png|border|class=tlt-border]]
After all the necessary changes have been made to the configuration file, save it and close it.
----
Now we need to initialize the necessary tasks to start building the certificates and all other things. Execute this command in the terminal:
./easyrsa init-pki
If everything was configure correctly you should see a text like in the picture below.
[[File:init_pki_v1.png|border|class=tlt-border]]
'''Note:''' the PKI directory in your case may or will differ.
==Step 3: Building the CA==
When the '''''Easy-Rsa''''' is prepared it is time to start building all the necessary certificates for the TLS connection.
----
To build the CA certificate, execute this command in the terminal:
./easyrsa build-ca nopass
After executing the command you will be asked to enter the common name. Press enter to use the default values from the configuration file.
[[File:building_ca_v1.png|border|class=tlt-border]]
The generated CA certificate can be found in the directory '''~/EasyRSA-3.0.7/pki''' and the certificate key can be found in the directory '''~/EasyRSA-3.0.7/pki/private'''.
==Step 4: building the server certificate and key==
In this step we will show you how to generate the server key and certificate and how to sign it with your CA.
----
First of all we need to generate a certificate request. You can do this by executing this command in the terminal:
./easyrsa gen-req server nopass
After executing the command you will be asked to enter the common name. Press enter to use the default values from the configuration file.
[[File:building_server_req_v1.png|border|class=tlt-border]]
The generated server certificate request can be found in the directory '''~/EasyRSA-3.0.7/pki/reqs''' and the key can be found in the directory '''~/EasyRSA-3.0.7/pki/private'''.
----
To build the server certificate we need to sign the server certificate request. You can do this by executing this command in the terminal:
./easyrsa sign-req server server
After executing the command you will be asked to confirm the request details. You need to type '''yes''' because any other entry will abort the process.
[[File:signing_server_req_v1.png|border|class=tlt-border]]
The signed server certificate can be found in the directory '''~/EasyRSA-3.0.7/pki/issued'''.
----
The last step in this part is to generate a '''Diffie-Hellman''' key. You can do this by executing this command in the terminal:
./easyrsa gen-dh
Depending on the size of the key, the process will take some time. While the key is generated, you should see an output like in the animation below.
[[File:dh_key_gen_fast_v1.gif|border|class=tlt-border]]
The generated '''Diffie-Hellman''' key can be found in the directory '''~/EasyRSA-3.0.7/pki'''.
----
All the necessary server certificates and keys were built. All of the keys and certificates can be found in these directories:
<ol>
<li>CA certificate - '''~/EasyRSA-3.0.7/pki/ca.crt'''</li>
<li>CA key - '''~/EasyRSA-3.0.7/pki/ca.key'''</li>
<li>Server certificate - '''~/EasyRSA-3.0.7/pki/issued/server.crt'''</li>
<li>Server key - '''~/EasyRSA-3.0.7/pki/private/server.key'''</li>
<li>Diffie-Hellman key - '''~/EasyRSA-3.0.7/pki/dh.pem'''</li>
</ol>
==Step 5: building client certificate and keys==
In this step we will show you how to build a certificate and a key pair for the client.
----
First of all we need to generate a certificate request. You can do this by executing this command in the terminal:
./easyrsa gen-req client nopass
After executing the command you will be asked to enter the common name. Press enter to use the default values from the configuration file.
[[File:building_client_req_v1.png|border|class=tlt-border]]
The generated client certificate request can be found in the directory '''~/EasyRSA-3.0.7/pki/reqs''' and the key can be found in the directory '''~/EasyRSA-3.0.7/pki/private'''.
----
To build the client certificate we need to sign the client certificate request. You can do this by executing this command in the terminal:
./easyrsa sign-req client client
After executing the command you will be asked to confirm the request details. You need to type yes because any other entry will abort the process.
[[File:signing_client_req_v1.png|border|class=tlt-border]]
The signed client certificate can be found in the directory '''~/EasyRSA-3.0.7/pki/issued'''.
----
All necessary client certificates and keys were built. You can found them in these directories:
<ol>
<li>Client certificate - '''~/EasyRSA-3.0.7/pki/issued/client.crt'''</li>
<li>Client key - '''~/EasyRSA-3.0.7/pki/private/client.key'''</li>
</ol>
